Skip to main content

CVE-2025-7435: Cross Site Scripting in LiveHelperChat lhc-php-resque Extension

Medium
VulnerabilityCVE-2025-7435cvecve-2025-7435
Published: Fri Jul 11 2025 (07/11/2025, 02:02:07 UTC)
Source: CVE Database V5
Vendor/Project: LiveHelperChat
Product: lhc-php-resque Extension

Description

A vulnerability was found in LiveHelperChat lhc-php-resque Extension up to ee1270b35625f552425e32a6a3061cd54b5085c4. It has been classified as problematic. This affects an unknown part of the file /site_admin/lhcphpresque/list/ of the component List Handler. The manipulation of the argument queue name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The identifier of the patch is 542aa8449b5aa889b3a54f419e794afe19f56d5d/0ce7b4f1193c0ed6c6e31a960fafededf979eef2. It is recommended to apply a patch to fix this issue.

AI-Powered Analysis

AILast updated: 07/11/2025, 03:01:11 UTC

Technical Analysis

CVE-2025-7435 is a cross-site scripting (XSS) vulnerability identified in the lhc-php-resque extension of LiveHelperChat, a popular open-source live chat support system. The vulnerability exists in the List Handler component, specifically within the /site_admin/lhcphpresque/list/ file. The flaw arises from improper sanitization of the 'queue name' argument, which can be manipulated by an attacker to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although some user interaction is necessary (e.g., an administrator or user viewing a crafted page). The vulnerability is classified as 'problematic' and has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but user interaction is needed. The impact primarily affects confidentiality and integrity to a limited extent, with no direct impact on availability. The product uses a rolling release model, so exact affected versions are identified by commit hashes rather than traditional version numbers. A patch has been issued to address the issue, identified by specific commit hashes, but no direct patch links are provided. No known exploits are currently in the wild, but public disclosure means attackers could develop exploits. The vulnerability allows attackers to execute arbitrary JavaScript in the context of the affected web application, potentially leading to session hijacking, credential theft, or unauthorized actions within the LiveHelperChat admin interface or user sessions.

Potential Impact

For European organizations using LiveHelperChat with the vulnerable lhc-php-resque extension, this XSS vulnerability poses a moderate risk. Exploitation could lead to theft of session tokens or credentials, enabling attackers to impersonate legitimate users or administrators. This could result in unauthorized access to sensitive customer support data, internal communications, or user information, impacting confidentiality and integrity. Since LiveHelperChat is often integrated into customer service workflows, a successful attack could also damage organizational reputation and customer trust. The vulnerability's remote exploitability without authentication increases risk, especially for organizations exposing the admin interface or chat system to the internet. However, the requirement for user interaction and the medium CVSS score suggest the threat is not critical but still significant. European organizations with regulatory obligations under GDPR must consider the potential data breach implications and ensure timely patching to avoid compliance issues. The rolling release nature of the product means organizations must maintain vigilant update practices to mitigate this and future vulnerabilities.

Mitigation Recommendations

Organizations should promptly apply the patch identified by commit hashes 542aa8449b5aa889b3a54f419e794afe19f56d5d and 0ce7b4f1193c0ed6c6e31a960fafededf979eef2 to remediate the vulnerability. Since the product uses rolling releases, it is critical to track the LiveHelperChat repository for updates continuously. Additionally, administrators should implement strict input validation and output encoding on all user-supplied data, especially the 'queue name' parameter, to prevent script injection. Employing Content Security Policy (CSP) headers can help mitigate the impact of any residual XSS vectors by restricting the execution of unauthorized scripts. Restrict access to the /site_admin/lhcphpresque/list/ interface to trusted IP addresses or via VPN to reduce exposure. Regularly audit and monitor web application logs for suspicious activity indicative of XSS exploitation attempts. Educate users and administrators about the risks of clicking on untrusted links or interacting with unexpected content within the chat system. Finally, integrate vulnerability management processes that include continuous monitoring for new patches and security advisories related to LiveHelperChat.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-07-10T15:50:26.812Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68707aefa83201eaacab62a7

Added to database: 7/11/2025, 2:46:07 AM

Last enriched: 7/11/2025, 3:01:11 AM

Last updated: 7/11/2025, 10:43:56 AM

Views: 6

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats