Exploit Details
Basic Information
| Exploit Title | LiveHelperChat 4.61 – Stored Cross Site Scripting (XSS) via Department Assignment Alias Nick Field |
|---|---|
| Exploit ID | EDB-ID:52381 |
| Type | exploitdb |
| Published | 2025-07-22T00:00:00 |
| Modified | 2025-07-22T00:00:00 |
CVSS Information
| CVSS Score | 6.5 |
|---|---|
| Severity | MEDIUM |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
CVE Information
- CVE-2025-51403
Exploit Description
Exploit Title:…
Exploit Code
# Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS)
via Department Assignment Alias Nick Field
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51403
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51403
# Reference:
https://github.com/LiveHelperChat/livehelperchat/pull/2228/commits/2056503ad96e04467ec9af8d827109b9b9b46223
via Department Assignment Alias Nick Field
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51403
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51403
# Reference:
https://github.com/LiveHelperChat/livehelperchat/pull/2228/commits/2056503ad96e04467ec9af8d827109b9b9b46223
A low-privileged user/operator injects a malicious JavaScript payload into
the Department Assignment “Alias Nick” field while assigning or editing
department access. When a higher-privileged user (e.g., admin or operator)
edits the department assignment “Alias Nick” field, the stored script is
executed in their browser context.
## Reproduction Steps:
1. Log in as an operator.
2. Navigate to your Department Assignment settings page.
3. In the “Alias Nick” field, enter the following payload:
“`
“>
“`
4. Save the changes.
5. Revist the Department Assignment settings page and edit the Alias Nick
field, the cross site scripting (xss) will execute.