CVE-2025-51403
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-08-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| livehelperchat | live_helper_chat | to 4.61 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-51403 is a stored cross-site scripting (XSS) vulnerability in Live Helper Chat versions up to 4.61. It occurs due to improper sanitization of input in the 'Alias Nick' field within the Department Assignment settings. A low-privileged user can inject malicious JavaScript code into this field. When a higher-privileged user later views or edits this field, the malicious script executes in their browser, potentially leading to security risks such as session hijacking or unauthorized actions. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of higher-privileged users' browsers. This can lead to session hijacking, unauthorized actions performed on behalf of the user, and potentially compromise the security and integrity of the affected system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject a test XSS payload into the 'Alias Nick' field within the Department Assignment settings of Live Helper Chat (versions up to 4.61). For example, log in as an operator, navigate to the Department Assignment settings, and input a payload such as `"><img src=\"x\" onerror=\"prompt(1);\">` into the Alias Nick field. Then save and revisit the page to see if the payload executes. There are no specific network commands provided, but manual testing of this input field for script injection is the suggested detection method. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Live Helper Chat to version 4.61 or later, where this vulnerability has been patched. Until the upgrade can be performed, restrict operator permissions to prevent untrusted users from editing the Alias Nick field in Department Assignment settings, and avoid viewing or editing this field by higher-privileged users to reduce risk of script execution. [1]