CVE-2022-1235 — Weak password hash in LiveHelperChat

Description

The secrethash, which the application relies for multiple security measures, can be brute-forced. The hash is quite small, with only 10 characters of only hexadecimal, making 16^10 possilibities ( 1.099.511.627.776 ). The SHA1 of the secret can be obtained via a captcha string and brute-forced offline with an GPU.

How to fix CVE-2022-1235

To remediate CVE-2022-1235, upgrade the affected package to a fixed version below.

—upgrade to 3.96.0 or later
—upgrade to 3.96 or later

Is CVE-2022-1235 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.96.0
from 0, < 3.96

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-1235
PATCHgithub.com/livehelperchat/livehelperchat
WEBgithub.com/livehelperchat/livehelperchat/commit/6538d6df3d8a60fee254170b08dd76a161f7bfdc
WEBhuntr.dev/bounties/92f7b2d4-fa88-4c62-a2ee-721eebe01705