Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can change the chat hash and status and then access or tamper with the chat through visitor/widget paths. The same write primitive can set operation_admin, which is later emitted as operator-side JavaScript.
AnalysisAI
Privilege escalation and cross-site scripting in Live Helper Chat 4.84v allows authenticated REST API users to manipulate chats outside their authorized departments and inject malicious JavaScript into operator sessions. Attackers with low-privilege lhchat/use access can modify arbitrary chat object fields including chat hash, status, and operation_admin properties, enabling unauthorized data access through visitor/widget paths and code execution in operator contexts. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.
Technical ContextAI
Live Helper Chat is an open-source customer support platform providing real-time chat functionality through web interfaces and REST APIs. The vulnerability stems from inadequate authorization enforcement (CWE-863: Incorrect Authorization) in the REST API chat update endpoint. The endpoint fails to validate department-level read permissions before allowing chat object modifications, creating a write-what-where condition. The attack surface spans two exploitation vectors: first, unauthorized modification of chat metadata (hash, status) enables access control bypass through visitor/widget code paths that trust these fields; second, setting the operation_admin field leads to stored XSS as this user-controlled value is later rendered as JavaScript in the operator dashboard without sanitization. The affected CPE cpe:2.3:a:livehelperchat:livehelperchat:*:*:*:*:*:*:*:* indicates the core application regardless of deployment environment.
RemediationAI
Upgrade to Live Helper Chat version patched for CVE-2026-44633 as specified in the GitHub Security Advisory at https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-hjqq-qmvj-9whm. If immediate patching is not feasible, implement compensating controls: restrict REST API access using IP allowlisting or VPN-only access to limit the attack surface to trusted networks; audit and minimize lhchat/use permission grants, ensuring only necessary users have REST API access; implement Web Application Firewall rules to block PUT/PATCH requests to chat update endpoints from untrusted sources, though this may break legitimate API integrations; enable comprehensive API audit logging to detect unauthorized chat modification attempts across department boundaries. Note that disabling REST API functionality entirely eliminates this attack vector but will break third-party integrations and automated workflows. For XSS mitigation specifically, implement Content Security Policy headers to restrict inline script execution in operator dashboards, though this requires testing to avoid breaking legitimate application functionality.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30371