LiveZilla 5.3.0.8 XSS

Homepage:

http://www.livezilla.net/

CVE-ID

CVE-2014-9255

CVSS Score

4

CVSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description:

Name field (name="form_111") in chat.php may be used to send XSS visible inside Webbased Operator Client.

Proof of Concept:

Put XSS inside Name field in chat.php for example:

<script>alert("XSS");</script>

XSS will be visible for operator whose uses Webbased Operator Client and accept your chat and receive at least two messages from you.

Timeline: