CVE-2025-7435 is a cross-site scripting (XSS) vulnerability identified in the lhc-php-resque extension of LiveHelperChat, a popular open-source live chat support system. The vulnerability exists in the List Handler component, specifically within the /site_admin/lhcphpresque/list/ file. The flaw arises from improper sanitization of the 'queue name' argument, which can be manipulated by an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although some user interaction is necessary (e.g., an administrator or user viewing a crafted page). The vulnerability is classified as 'problematic' and has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but user interaction is needed. The impact primarily affects confidentiality and integrity to a limited extent, with no direct impact on availability. The product uses a rolling release model, so exact affected versions are identified by commit hashes rather than traditional version numbers. A patch has been issued to address the issue, identified by specific commit hashes, but no direct patch links are provided. No known exploits are currently in the wild, but public disclosure means attackers could develop exploits. The vulnerability allows attackers to execute arbitrary JavaScript in the context of the affected web application, potentially leading to session hijacking, credential theft, or unauthorized actions within the LiveHelperChat admin interface or user sessions.

For European organizations using LiveHelperChat with the vulnerable lhc-php-resque extension, this XSS vulnerability poses a moderate risk. Exploitation could lead to theft of session tokens or credentials, enabling attackers to impersonate legitimate users or administrators. This could result in unauthorized access to sensitive customer support data, internal communications, or user information, impacting confidentiality and integrity. Since LiveHelperChat is often integrated into customer service workflows, a successful attack could also damage organizational reputation and customer trust. The vulnerability's remote exploitability without authentication increases risk, especially for organizations exposing the admin interface or chat system to the internet. However, the requirement for user interaction and the medium CVSS score suggest the threat is not critical but still significant. European organizations with regulatory obligations under GDPR must consider the potential data breach implications and ensure timely patching to avoid compliance issues. The rolling release nature of the product means organizations must maintain vigilant update practices to mitigate this and future vulnerabilities.

Organizations should promptly apply the patch identified by commit hashes 542aa8449b5aa889b3a54f419e794afe19f56d5d and 0ce7b4f1193c0ed6c6e31a960fafededf979eef2 to remediate the vulnerability. Since the product uses rolling releases, it is critical to track the LiveHelperChat repository for updates continuously. Additionally, administrators should implement strict input validation and output encoding on all user-supplied data, especially the 'queue name' parameter, to prevent script injection. Employing Content Security Policy (CSP) headers can help mitigate the impact of any residual XSS vectors by restricting the execution of unauthorized scripts. Restrict access to the /site_admin/lhcphpresque/list/ interface to trusted IP addresses or via VPN to reduce exposure. Regularly audit and monitor web application logs for suspicious activity indicative of XSS exploitation attempts. Educate users and administrators about the risks of clicking on untrusted links or interacting with unexpected content within the chat system. Finally, integrate vulnerability management processes that include continuous monitoring for new patches and security advisories related to LiveHelperChat.