Live Helper Chat lhc-php-resque Extension Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Live Helper Chat lhc-php-resque extension, affecting all versions prior to the latest release on June 18, 2025. The vulnerability resides in the List Handler component, specifically within the file '/site_admin/lhcphpresque/list/'. It allows remote attackers to inject malicious scripts by manipulating the queue name parameter, which is not properly sanitized before being displayed. This exploitation could lead to unauthorized execution of JavaScript in the context of an authenticated administrator.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the browser of the affected user. In this case, it could enable a normal user to escalate their privileges by promoting their account to administrator status. This vulnerability is particularly critical for Live Helper Chat installations using the official Docker image, where the PHP-Resque extension is enabled by default.

Reproduction

To reproduce this vulnerability, access the '/site_admin/lhcphpresque/list/' endpoint and inject a payload into the queue name parameter. The injected script will be executed in the context of the user.

Remediation

Users are advised to update to the latest version of the lhc-php-resque extension, released on June 18, 2025.