CVE-2024-27516 — livehelperchat Server-Side Template Injection

Description

Server-Side Template Injection (SSTI) vulnerability in livehelperchat before 4.34, allows remote attackers to execute arbitrary code and obtain sensitive information via the search parameter in lhc_web/modules/lhfaq/faqweight.php.

How to fix CVE-2024-27516

To remediate CVE-2024-27516, upgrade the affected package to a fixed version below.

Packagist/remdex/livehelperchat—upgrade to 4.29 or later

Is CVE-2024-27516 being exploited?

Low — EPSS is 3.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.29

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-27516
PATCHgithub.com/LiveHelperChat/livehelperchat
WEBgithub.com/LiveHelperChat/livehelperchat/commit/a61d231526a36d4a7d8cc957914799ee1f9db0ab
WEBgithub.com/LiveHelperChat/livehelperchat/issues/2054