CVE-2022-0612: Cross-site Scripting in livehelperchat
6.7
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.53313%
CWE
Published
2/17/2022
Updated
2/3/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
remdex/livehelperchat | composer | < 3.93 | 3.93 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability arises from user-controlled data (e.g., theme configurations) being embedded in HTML attributes without disabling AngularJS binding. The patch adds ng-non-bindable to anchor tags, which prevents Angular from processing injected expressions. The affected templates directly output data retrieved via methods like erLhcoreClassModelChatConfig::fetch() and $Result['theme'] properties. While htmlspecialchars neutralizes traditional XSS, Angular expressions (e.g., {{...}}) are not escaped by PHP and would execute if Angular processes the element. The lack of ng-non-bindable in the original code allowed this client-side exploitation.