Name field (name="form_111"
) in chat.php may be used to send XSS visible inside Webbased Operator Client
.
Proof of Concept
Put XSS inside Name
field in chat.php for example:
<script>alert("XSS");</script>
XSS will be visible for operator whose uses Webbased Operator Client
and accept your chat and receive at least two messages from you.
Timeline
- 25-11-2014: Discovered
- 25-11-2014: Vendor notified
- 15-01-2015: Version 5.4.0.0 released, issue resolved