LiveZilla blind Javascript Injection – Cross Site Scripting (XSS)

http://techspry.com/ruby_and_rails/multiple-table-inheritance-in-rails-3/?replytocom=823 Overview :
An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (Helpdesk). A blind JavaScript injection lies in the name parameter. Triggering this can fetch the username and passwords of the helpdesk employees in the URI. This leads to a privilege escalation, from unauthenticated to user-level access, leading to full account takeover. The attack fetches multiple credentials because they are stored in the database (stored XSS). This affects the mobile/chat URI via the lgn and psswrd parameters.
cheap ivermectin Affected Product(s) :
  • LiveZilla Live Chat 8.0.1.3
Vulnerability Details :
CVE ID :

CVE-2020-9758

The leakage of credentials through the URI may be the result of the autologin feature. Also more parameters in the chat.php form may be vulnerable.

Solution :

Awaited

 

 

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2023-4291 : Frauscher Sensortechnik FDS101 For FAdC 1.4.24 Code Injection

CVE-2023-4291 : Frauscher Sensortechnik FDS101 For FAdC 1.4.24 Code Injection

Description Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a remote code execution (RCE)

CVE-2023-2163 : Linux Kernel 5.4 BPF kernel/bpf/verifier.c backtrack_insn calculation

CVE-2023-2163 : Linux Kernel 5.4 BPF kernel/bpf/verifier.c backtrack_insn calculation

Description Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe,

CVE-2023-42454 : SQLpage Up To 0.11.0 Database Connection String sqlpage/sqlpage.json Information Disclosure

CVE-2023-42454 : SQLpage Up To 0.11.0 Database Connection String sqlpage/sqlpage.json Information Disclosure

Description SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly,