[webapps] LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Telegram Bot Username
LiveHelperChat 4.61版本存在存储型XSS漏洞,攻击者通过在Telegram Bot Username参数中注入恶意脚本,在管理员或高权限用户查看或编辑时执行任意JavaScript代码。 2025-7-22 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:20 收藏
LiveHelperChat 4.61版本存在存储型XSS漏洞,攻击者通过在Telegram Bot Username参数中注入恶意脚本,在管理员或高权限用户查看或编辑时执行任意JavaScript代码。 2025-7-22 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:20 收藏
# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS)
via Telegram Bot Username
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51396
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51396
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat
version ≤ 4.61 allows attackers to execute arbitrary JavaScript by
injecting a crafted payload into the Telegram Bot Username parameter. This
payload is stored and later executed when an admin or higher-privileged
user views or edits the Telegram Bot Username.
## Reproduction Steps:
1. Log in as an operator user in Live Helper Chat.
2. Navigate to `Settings > Live Help Configuration > Telegram Bot`.
3. In the **Bot Username** field, enter the following payload:
```
"><img src="x" onerror="prompt(1);">
```
4. Save the settings.
5. Revisit the Telegram configuration panel and — the payload will execute.
文章来源: https://www.exploit-db.com/exploits/52376
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh