Form submission for vulnerability in livezillaCVE-2020-9758
> [Description]
> An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3
> (Helpdesk). A blind JavaScript injection lies in the name parameter.
> Triggering this can fetch the username and passwords of the helpdesk
> employees in the URI. This leads to a privilege escalation, from
> unauthenticated to user-level access, leading to full account
> takeover. The attack fetches multiple credentials because they are
> stored in the database (stored XSS). This affects the mobile/chat URI
> via the lgn and psswrd parameters.
>
> ------------------------------------------
>
> [Additional Information]
> The leakage of credentials through the URI may be the result of the autologin feature.
> Also more parameters in the chat.php form may be vulnerable.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Livezilla
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Livechat Helpdesk - 8.0.1.3
>
> ------------------------------------------
>
> [Affected Component]
> Input URL : https://livechat.example.com/chat.php
> Vulnerable Parameter : name
> Affected URL : https://livechat.example.com/mobile/chat?lgn=base64_encoded(username)&psswrd=base64_encoded(password)
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Blind Unauthenticated Stored XSS
>
> ------------------------------------------
>
> [Reference]
> https://www.livezilla.net
>
> ------------------------------------------
>
> [Discoverer]
> Arihant Singh
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view