# Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Telegram Bot Username # Date: 09/06/2025 # Exploit Author: Manojkumar J (TheWhiteEvil) # Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ # Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ # Software Link: https://github.com/LiveHelperChat/livehelperchat/ # Version: <=4.61 # Patched Version: 4.61 # Category: Web Application # Tested on: Mac OS Sequoia 15.5, Firefox # CVE : CVE-2025-51396 # Exploit link: https://github.com/Thewhiteevil/CVE-2025-51396 A stored cross-site scripting (XSS) vulnerability in Live Helper Chat version ≤ 4.61 allows attackers to execute arbitrary JavaScript by injecting a crafted payload into the Telegram Bot Username parameter. This payload is stored and later executed when an admin or higher-privileged user views or edits the Telegram Bot Username. ## Reproduction Steps: 1. Log in as an operator user in Live Helper Chat. 2. Navigate to `Settings > Live Help Configuration > Telegram Bot`. 3. In the **Bot Username** field, enter the following payload: ``` "><img src="x" onerror="prompt(1);"> ``` 4. Save the settings. 5. Revisit the Telegram configuration panel and — the payload will execute. -------------------------- # Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Operator Surname # Date: 09/06/2025 # Exploit Author: Manojkumar J (TheWhiteEvil) # Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ # Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ # Software Link: https://github.com/LiveHelperChat/livehelperchat/ # Version: <=4.61 # Patched Version: 4.61 # Category: Web Application # Tested on: Mac OS Sequoia 15.5, Firefox # CVE : CVE-2025-51397 # Exploit link: https://github.com/Thewhiteevil/CVE-2025-51397 A stored cross-site scripting (XSS) vulnerability in Live Helper Chat version ≤ 4.61 allows attackers to execute arbitrary JavaScript by injecting a crafted payload into the Operator Surname field. This payload is stored and later executed when an admin or higher-privileged user views the Recipients List where the attacker is listed as the Owner. ## Reproduction Steps: 1. Log in as an operator. 2. Navigate to your Operator Surname field. 3. Create new Operator Surname or Modify the Operator Surname, enter the following payload: ``` "><img src="x" onerror="prompt(1);"> ``` 4. Save the changes. 5. This payload is stored and later executed when an admin or higher-privileged user views the Recipients List where the attacker is listed as the Owner. -------------------------- # Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field # Date: 09/06/2025 # Exploit Author: Manojkumar J (TheWhiteEvil) # Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ # Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ # Software Link: https://github.com/LiveHelperChat/livehelperchat/ # Version: <=4.61 # Patched Version: 4.61 # Category: Web Application # Tested on: Mac OS Sequoia 15.5, Firefox # CVE : CVE-2025-51398 # Exploit link: https://github.com/Thewhiteevil/CVE-2025-51398 A stored cross-site scripting (XSS) vulnerability in Live Helper Chat version ≤ 4.61 allows attackers to execute arbitrary JavaScript by injecting a crafted payload into the Facebook page integration Name Field. The payload is stored and executed when higher-privileged users (e.g., administrators) access or edit the integration settings, resulting in stored Cross Site Scripting (XSS). ## Reproduction Steps: 1. Log in as an operator. 2. Navigate to your Facebook page integration. 3. Create new Facebook page integration, enter the following payload in the Facebook page integration Name Field: ``` "><img src="x" onerror="prompt(1);"> ``` 4. Save the changes. 5. The payload is stored and executed when higher-privileged users (e.g., operator or administrators) access or edit the Facebook page integration, resulting in stored Cross Site Scripting (XSS). -------------------------- # Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages # Date: 09/06/2025 # Exploit Author: Manojkumar J (TheWhiteEvil) # Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ # Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ # Software Link: https://github.com/LiveHelperChat/livehelperchat/ # Version: <=4.61 # Patched Version: 4.61 # Category: Web Application # Tested on: Mac OS Sequoia 15.5, Firefox # CVE : CVE-2025-51400 # Exploit link: https://github.com/Thewhiteevil/CVE-2025-51400 A stored cross-site scripting (XSS) vulnerability in Live Helper Chat version ≤ 4.61 allows attackers to execute arbitrary JavaScript by injecting a crafted payload into the Personal Canned Messages. When an admin or operator user views the message, and tries to send canned messages the stored javascript executes in their browser context. ## Reproduction Steps: 1. Log in as an operator. 2. Navigate to your Personal Canned Messages. 3. Create new personal canned message, enter the following payload: ``` "><img src="x" onerror="prompt(1);"> ``` 4. Save the changes. 5. Try to use the personal canned message, the cross site scripting (xss) will execute. -------------------------- # Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Operator Chat Name Field Triggers on Chat Owner Transfer # Date: 09/06/2025 # Exploit Author: Manojkumar J (TheWhiteEvil) # Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ # Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ # Software Link: https://github.com/LiveHelperChat/livehelperchat/ # Version: <=4.61 # Patched Version: 4.61 # Category: Web Application # Tested on: Mac OS Sequoia 15.5, Firefox # CVE : CVE-2025-51401 # Exploit link: https://github.com/Thewhiteevil/CVE-2025-51401 A stored cross-site scripting (XSS) vulnerability in Live Helper Chat version ≤ 4.61 allows attackers to execute arbitrary JavaScript by injecting a crafted payload into the Operator Chat Name Field Triggers on Chat Owner Transfer Functionality on Live Helper Chat. ## Reproduction Steps: 1. Log in as an operator. 2. Navigate to your operator settings page. 3. In the **Name** field, enter the following payload: ``` "><img src="x" onerror="prompt(1);"> ``` 4. Save the changes. 5. Initiate a chat with a visitor. 6. Transfer the chat to another operator — the XSS payload executes in the receiving operator’s chat interface. -------------------------- # Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) via Department Assignment Alias Nick Field # Date: 09/06/2025 # Exploit Author: Manojkumar J (TheWhiteEvil) # Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ # Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ # Software Link: https://github.com/LiveHelperChat/livehelperchat/ # Version: <=4.61 # Patched Version: 4.61 # Category: Web Application # Tested on: Mac OS Sequoia 15.5, Firefox # CVE : CVE-2025-51403 # Exploit link: https://github.com/Thewhiteevil/CVE-2025-51403 # Reference: https://github.com/LiveHelperChat/livehelperchat/pull/2228/commits/2056503ad96e04467ec9af8d827109b9b9b46223 A low-privileged user/operator injects a malicious JavaScript payload into the Department Assignment "Alias Nick" field while assigning or editing department access. When a higher-privileged user (e.g., admin or operator) edits the department assignment "Alias Nick" field, the stored script is executed in their browser context. ## Reproduction Steps: 1. Log in as an operator. 2. Navigate to your Department Assignment settings page. 3. In the "Alias Nick" field, enter the following payload: ``` "><img src="x" onerror="prompt(1);"> ``` 4. Save the changes. 5. Revist the Department Assignment settings page and edit the Alias Nick field, the cross site scripting (xss) will execute.