Home page logo

bugtraq logo Bugtraq mailing list archives

LiveZilla Reflected XSS in translations
From: zoczus () gmail com
Date: Sun, 8 Dec 2013 23:30:57 GMT

Author: Jakub Zoczek [zoczus () gmail com]
CVE Reference: CVE-2013-7002
Product: LiveZilla 
Vendor: LiveZilla GmbH [http://livezilla.net]
Affected version:
Severity: Medium
CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 
Status: Fixed

0x01 Background

LiveZilla, the widely-used and trusted Live Help and Live Support System.

0x02 Description

LiveZilla in version is prone to Reflected Cross-Site Scripting issue in translation PHP script used to 
generate JSON with connections between origin and destination languages. Content type is text/html and g_language GET 
variable is displayed without sanitization, which make the script vulnerable.

0x03 Proof of Concept

http://hostname/livezilla/mobile/php/translation/index.php?g_language=f";><img src=a onerror=alert('XSS')>h

0x04 Fix

Vulnerability was fixed in LiveZilla version.

0x05 Timeline

20.11.2013 - Vendor notified
21.11.2013 - Fix released, vendor responded 
09.12.2013 - Public Disclosure

  By Date           By Thread  

Current thread:
  • LiveZilla Reflected XSS in translations zoczus (Dec 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]