Name field (
name="form_111") in chat.php may be used to send XSS visible inside
Webbased Operator Client.
Proof of Concept:
Put XSS inside
Name field in chat.php for example:
XSS will be visible for operator whose uses
Webbased Operator Client and accept your chat and receive at least two messages from you.
- 25-11-2014: Discovered
- 25-11-2014: Vendor notified
- 15-01-2015: Version 18.104.22.168 released, issue resolved