Live Helper Chat REST API Cross-Department Chat Modification Vulnerability

A vulnerability in the Live Helper Chat REST API chat update endpoint in version 4.84v allows low-privileged users to update chats in departments they cannot read. The endpoint accepts arbitrary chat object fields, enabling users to change the chat hash and status, and access or manipulate the chat through visitor/widget paths. Additionally, the 'operation_admin' field can be set, which is later executed as JavaScript on the operator's side.

Impact

Exploitation of this vulnerability allows a user to bypass department isolation, modifying and accessing chats in other departments. This not only exposes chat contents and states to unauthorized users but also enables the execution of injected JavaScript in the context of the Live Helper Chat application, potentially leading to further exploitation depending on the privileges of the operator or admin session.

Reproduction

To reproduce this vulnerability, set up Live Helper Chat version 4.84v with two departments. Create a REST API user with 'lhchat/use' permission, assigned only to department A. Then, create or select a chat in department B, which the user cannot read. Send a PUT request to the chat update endpoint, including an attacker-controlled hash, a status value, and a JavaScript payload in the 'operation_admin' field. After the request is processed, the chat will reflect the injected values, and the JavaScript payload will be executed when the chat is accessed by an operator or admin.