Miggo Logo

CVE-2022-0612: Cross-site Scripting in livehelperchat

6.7

CVSS Score
3.0

Basic Information

EPSS Score
0.53313%
Published
2/17/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
remdex/livehelperchatcomposer< 3.933.93

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability arises from user-controlled data (e.g., theme configurations) being embedded in HTML attributes without disabling AngularJS binding. The patch adds ng-non-bindable to anchor tags, which prevents Angular from processing injected expressions. The affected templates directly output data retrieved via methods like erLhcoreClassModelChatConfig::fetch() and $Result['theme'] properties. While htmlspecialchars neutralizes traditional XSS, Angular expressions (e.g., {{...}}) are not escaped by PHP and would execute if Angular processes the element. The lack of ng-non-bindable in the original code allowed this client-side exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in P**k**ist r*m**x/liv***lp*r***t prior to *.**v.

Reasoning

T** vuln*r**ility *ris*s *rom us*r-*ontroll** **t* (*.*., t**m* *on*i*ur*tions) **in* *m****** in *TML *ttri*ut*s wit*out *is**lin* *n*ul*rJS *in*in*. T** p*t** ***s n*-non-*in***l* to *n**or t**s, w*i** pr*v*nts *n*ul*r *rom pro**ssin* inj**t** *xpr