1. ADVISORY SUMMARY
LiveZilla - Cross-site scripting (XSS) vulnerability in knowledgebase.php
Risk: Medium
Application: LiveZilla
Versions Affected: 7.0.6.0
1. ADVISORY SUMMARY
LiveZilla - Cross-site scripting (XSS) vulnerability in knowledgebase.php
Risk: Medium
Application: LiveZilla
Versions Affected: 7.0.6.0
Vendor: LiveZilla GmbH
Vendor URL: https://www.livezilla.net/
Sent to vendor: 04.12.2017
Vendor response: Acknowledge 04.12.2017
Published fixed Release by vendor: 15.12.2017 (7.0.8.9)
Date of Public Advisory: 16.01.2018
Advisory URL: https://www.pallas.com/advisories/cve-2017-15869-livezilla-xss-knowledgebase
Author: Tim Kretschmann (Pallas GmbH)
Version and State of report: 1.0 (16.01.2018) - published
2. VULNERABILITY INFORMATION
A cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZilla 7.0.6.0 allow remote attackers to inject arbitrary web script or HTML via the search-for parameter.
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2017-15869
CVSS Base Score v2: 6.1 / 10
CVSS Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
3. VULNERABILITY DESCRIPTION
A cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZilla 7.0.6.0 allow remote attackers to inject arbitrary web script or HTML via the search-for parameter.
4. SOLUTIONS AND WORKAROUNDS
Update to Release 7.0.8.9 or higher (Dec 2017)
No possible workaround before 7.0.8.9
5. AUTHOR
Tim Kretschmann (Pallas GmbH)
6. TECHNICAL DESCRIPTION / PROOF OF CONCEPT (PoC)
Attack Vector:
/knowledgebase.php?entry=show&searchfor=ae2w1%22onfocus%3d%22alert(1)%22autofocus%3d%22bvofh&article=<IfOfArticle>
7. TIMELINE
04.12.2017 - E-Mail with Bug Information to LiveZilla
04.12.2017 - Acknowledged the bug
15.12.2017 LiveZilla published Release 7.0.8.9 (see https://www.livezilla.net/changelog/en/)
16.01.2018 Pallas published Advisory
8. ABOUT PALLAS GMBH
Pallas provides security consulting, pentesting, managed security services and hosting services with focus on security.
Adress: Pallas GmbH, Hermuelheimer Strasse 8a, 50321 Bruehl, GERMANY
Phone: 0049.2232.18960
Fax: 0049.2232.198629
Web: https://www.pallas.com/
LiveZilla 7.0.6.0 Cross Site Scripting
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 461