CVE-2021-4049: Cross-Site Request Forgery in remdex/livehelperchat
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30533%
CWE
Published
12/10/2021
Updated
2/1/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
remdex/livehelperchat | composer | <= 2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the logout functionality not validating CSRF tokens prior to the patch. The commit adds CSRF checks in logout.php
by verifying $lhUser->validateCSFRToken()
, indicating the previous absence of this validation. The template files show CSRF tokens were added to logout links post-patch, confirming the pre-patch logout URLs were unprotected. The core vulnerability exists in the logout endpoint's request handling logic before CSRF protection was implemented.