Miggo Logo

CVE-2021-4131: livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.35533%
Published
1/5/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
remdex/livehelperchatcomposer< 3.913.91

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch adds CSRF token validation to expirecache.php and modifies the route configuration to require CSRF tokens. The original vulnerability existed because: 1) The template link (expirecache.tpl.php) triggered actions without CSRF protection 2) The backend handler (expirecache.php) executed privileged cache operations without validating CSRF tokens 3) The route configuration (module.php) didn't enforce CSRF parameters. The core vulnerability manifests in the handler function where the CSRF check was missing, making it the primary vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

liv***lp*r***t is vuln*r**l* to *ross-Sit* R*qu*st *or**ry (*SR*)

Reasoning

T** *it*u* p*t** ***s *SR* tok*n v*li**tion to *xpir******.p*p *n* mo*i*i*s t** rout* *on*i*ur*tion to r*quir* *SR* tok*ns. T** ori*in*l vuln*r**ility *xist** ****us*: *) T** t*mpl*t* link (*xpir******.tpl.p*p) tri***r** **tions wit*out *SR* prot**ti