What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in nghialuu Zalo Official Live Chat zalo-official-live-chat allows Cross Site Request Forgery.This issue affects Zalo Official Live Chat: from n/a through <= 1.0.0.
Explanation of Vulnerability in Simple Terms
02Summary
Zalo Official Live Chat versions up to 1.0.0 contain a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious link or page that, when visited by a site administrator, performs unwanted actions on the chat system without the admin's knowledge. The vulnerability requires user interaction and does not expose sensitive data, but can modify chat settings or functionality.
What an attacker can do
03Attacker Capabilities
Trick a site admin into visiting a malicious page that performs unwanted actions on the live chat system.
Potential impact on your site
04Site Impact
An attacker can modify live chat settings or functionality by tricking your admin into visiting a malicious page.
Conditions required to exploit
05Prerequisites
Site admin must visit an attacker-controlled page or click a malicious link while logged into the site.
Key dates
06Disclosure timeline
April 24, 2025
CVE published
April 28, 2026
Record updated