Author: Jakub Zoczek [[email protected]]
CVE Reference: CVE-2013-7032
Product: LiveZilla
Vendor: LiveZilla GmbH [http://livezilla.net]
Affected version: 5.1.2.0
Severity: Medium
CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Status: Fixed
0x01 Background
LiveZilla, the widely-used and trusted Live Help and Live Support System.
0x02 Description
LiveZilla in version 5.1.2.0 is prone to multiple stored cross-site scripting vulnerabilities in Webbased Operator Client. Attacker is able to execute arbitrary javascript code in context of operator browser by providing xss payloads into unfiltered fields - details below.
0x03 Proof of Concept
0x04 Fix
Vulnerability was fixed in LiveZilla 5.1.2.1 version.
0x05 Timeline
08.12.2013 - Vendor notified
09.12.2013 - Vendor responded with informations about planned release
10.12.2013 - Version 5.1.2.1 released
15.12.2013 - Public Disclosure