CVE-2021-4131: livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.35533%
CWE
Published
1/5/2022
Updated
2/3/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
remdex/livehelperchat | composer | < 3.91 | 3.91 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The GitHub patch adds CSRF token validation to expirecache.php and modifies the route configuration to require CSRF tokens. The original vulnerability existed because: 1) The template link (expirecache.tpl.php) triggered actions without CSRF protection 2) The backend handler (expirecache.php) executed privileged cache operations without validating CSRF tokens 3) The route configuration (module.php) didn't enforce CSRF parameters. The core vulnerability manifests in the handler function where the CSRF check was missing, making it the primary vulnerable function.