Name field (name="form_111") in chat.php may be used to send XSS visible inside Webbased Operator Client.
Proof of Concept
Put XSS inside Name field in chat.php for example:
<script>alert("XSS");</script>XSS will be visible for operator whose uses Webbased Operator Client and accept your chat and receive at least two messages from you.
Timeline
- 25-11-2014: Discovered
- 25-11-2014: Vendor notified
- 15-01-2015: Version 5.4.0.0 released, issue resolved
