CVE-2022-0370

Name of the Vulnerable Software and Affected Versions remdex/livehelperchat versions prior to 3.93v

Description The issue is related to Stored Cross-site Scripting (XSS) in the livehelperchat package. It is found in the Settings > Live help configuration > Personal Theme > static content section. An attacker can inject a payload, such as {{constructor.constructor('alert(1)')()}}, into the NAME field while creating content. This input gets stored and the payload is executed every time a user visits the affected page.

Recommendations For versions prior to 3.93v, update to version 3.93v or later to resolve the issue. As a temporary workaround, consider restricting access to the static content section in the Personal Theme settings to minimize the risk of exploitation. Avoid using the static content feature until the issue is resolved.