Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Tue Dec 10 2013 - 09:32:12 CST
Author: Jakub Zoczek [zoczusgmail.com]
CVE Reference: CVE-2013-7003
Vendor: LiveZilla GmbH [http://livezilla.net]
Affected version: 126.96.36.199
CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
LiveZilla, the widely-used and trusted Live Help and Live Support System.
LiveZilla in version 188.8.131.52 is prone to multiple Stored Cross-Site Scripting issues in Webbased Operator Client and LiveZilla Client. Attacker can put payloads in fields like "full name" , "company", or create crafted filename to exploit this vulnerability.
0x03 Proof of Concepts
Name and Surname variant:
My name is Jakub and this is looong username <img src="a" onerror="alert(document.cookie)">h
Uploaded filename variant:
Vulnerabilities was fixed in LiveZilla 184.108.40.206 version.
21.11.2013 - Vendor notified
01.12.2013 - Ping
02.12.2013 - Vendor responded with information about planing fix
06.12.2013 - Fixed version released
10.12.2013 - Public Disclosure