CVE-2025-51401 is a stored cross-site scripting (XSS) vulnerability identified in the chat transfer function of Live Helper Chat version 4.60. This vulnerability arises due to insufficient input sanitization of the operator name parameter, allowing an attacker to inject malicious web scripts or HTML code. When the crafted payload is stored and subsequently rendered in the chat interface, it executes in the context of the victim's browser session. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The scope change indicates that the vulnerability affects components beyond the initially vulnerable component, potentially impacting other parts of the system or user sessions. Exploitation requires an attacker to have some level of privileges (likely an authenticated user with operator-level access) and to trick a user into interacting with the malicious payload. Although no known exploits are currently in the wild, the stored nature of the XSS increases risk since the payload persists and can affect multiple users over time. The lack of available patches at the time of publication suggests that organizations using Live Helper Chat 4.60 should prioritize mitigation and monitoring. Stored XSS vulnerabilities can lead to session hijacking, credential theft, or unauthorized actions performed in the victim's context, posing significant risks to confidentiality and integrity of communications within the chat platform.

For European organizations utilizing Live Helper Chat, particularly in customer support or internal communication roles, this vulnerability could lead to unauthorized access to sensitive conversations or user credentials. Attackers exploiting this flaw could hijack operator sessions, impersonate legitimate users, or inject malicious content that compromises the integrity of communications. This is especially critical for sectors handling personal data under GDPR, as exploitation could result in data breaches with legal and financial repercussions. The medium severity score reflects moderate risk; however, the scope change and stored nature mean multiple users could be affected once the payload is injected. The requirement for some privileges limits exploitation to insiders or compromised accounts, but social engineering could facilitate this. The impact on confidentiality and integrity is notable, while availability is unaffected. European organizations relying on Live Helper Chat for customer engagement or internal support should consider the reputational damage and compliance risks if exploited.

Organizations should immediately audit their Live Helper Chat deployments to identify usage of version 4.60 or earlier. Since no patches are currently available, temporary mitigations include implementing strict input validation and sanitization on the operator name parameter at the web application firewall (WAF) or reverse proxy level. Employ Content Security Policy (CSP) headers to restrict script execution and reduce XSS impact. Limit operator privileges and enforce strong authentication to reduce the risk of privilege abuse. Monitor logs for unusual operator name inputs or suspicious chat transfer activities. Educate operators about phishing and social engineering risks that could lead to injection of malicious payloads. Consider isolating the chat application environment to limit lateral movement if exploitation occurs. Once patches are released, prioritize timely updates. Additionally, conduct regular security assessments and penetration testing focused on chat application components to detect similar vulnerabilities proactively.