CRITICAL🇵🇱 Wersja polska

CVE-2024-27516

CVSS 9.8v3.1pub. 2024-02-29upd. 2025-04-30

Server-Side Template Injection (SSTI) vulnerability in livehelperchat before 4.34v, allows remote attackers to execute arbitrary code and obtain sensitive information via the search parameter in lhc_web/modules/lhfaq/faqweight.php.

🤖 AI Analysis
How it works

The vulnerability occurs in the 'search' parameter handled by the 'lhc_web/modules/lhfaq/faqweight.php' file. Improperly validated user input is processed by the server-side template engine, which allows injection of malicious template expressions. This results in the interpretation and execution of arbitrary code in the context of the web server process.

Impact

An attacker can remotely execute arbitrary code on the server (RCE) without any authentication, as well as gain access to sensitive information stored in the system.

Mitigation & patch

Live Helper Chat should be updated to version 4.34 or newer. The fix was introduced in commit a61d231526a36d4a7d8cc957914799ee1f9db0ab available in the manufacturer's GitHub repository.

Who is affected

Live Helper Chat (livehelperchat) in versions before 4.34

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Livehelperchat Live Helper Chat

    APP
    Livehelperchat
    < 4.34
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2022-0935HIGH8.8ten sam produkt

Host Header injection in password Reset in GitHub repository livehelperchat/livehelperchat prior to 3.97.

CVE-2022-1213HIGH8.1ten sam produkt

SSRF filter bypass port 80, 433 in GitHub repository livehelperchat/livehelperchat prior to 3.67v. An attacker...

CVE-2022-1235HIGH8.2ten sam produkt

Weak secrethash can be brute-forced in GitHub repository livehelperchat/livehelperchat prior to 3.96.

CVE-2022-1176HIGH7.5ten sam produkt

Loose comparison causes IDOR on multiple endpoints in GitHub repository livehelperchat/livehelperchat prior to...

CVE-2022-1191HIGH8.1ten sam produkt

SSRF on index.php/cobrowse/proxycss/ in GitHub repository livehelperchat/livehelperchat prior to 3.96.