BugTraq
ADVISORY - LiveZilla - Cross-site scripting (XSS) vulnerability in knowledgebase.php - CVE-2017-15869 Jan 16 2018 04:01PM
tim kretschmann pallas com
1. ADVISORY SUMMARY

LiveZilla - Cross-site scripting (XSS) vulnerability in knowledgebase.php

Risk: Medium

Application: LiveZilla
Versions Affected: 7.0.6.0
Vendor: LiveZilla GmbH
Vendor URL: https://www.livezilla.net/

Sent to vendor: 04.12.2017
Vendor response: Acknowledge 04.12.2017
Published fixed Release by vendor: 15.12.2017 (7.0.8.9)
Date of Public Advisory: 16.01.2018

Advisory URL: https://www.pallas.com/advisories/cve-2017-15869-livezilla-xss-knowledge
base
Author: Tim Kretschmann (Pallas GmbH)
Version and State of report: 1.0 (16.01.2018) - published

2. VULNERABILITY INFORMATION

A cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZilla 7.0.6.0 allow remote attackers to inject arbitrary web script or HTML via the search-for parameter.

Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2017-15869
CVSS Base Score v2: 6.1 / 10
CVSS Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

3. VULNERABILITY DESCRIPTION

A cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZilla 7.0.6.0 allow remote attackers to inject arbitrary web script or HTML via the search-for parameter.

4. SOLUTIONS AND WORKAROUNDS

Update to Release 7.0.8.9 or higher (Dec 2017)
No possible workaround before 7.0.8.9

5. AUTHOR

Tim Kretschmann (Pallas GmbH)

6. TECHNICAL DESCRIPTION / PROOF OF CONCEPT (PoC)

Attack Vector:
/knowledgebase.php?entry=show&searchfor=ae2w1%22onfocus%3d%22alert(1)%22
autofocus%3d%22bvofh&article=<IfOfArticle>

7. TIMELINE

04.12.2017 - E-Mail with Bug Information to LiveZilla
04.12.2017 - Acknowledged the bug
15.12.2017 ? LiveZilla published Release 7.0.8.9 (see https://www.livezilla.net/changelog/en/)
16.01.2018 ? Pallas published Advisory

8. ABOUT PALLAS GMBH

Pallas provides security consulting, pentesting, managed security services and hosting services with focus on security.
Adress: Pallas GmbH, Hermuelheimer Strasse 8a, 50321 Bruehl, GERMANY
Phone: 0049.2232.18960
Fax: 0049.2232.198629
Web: https://www.pallas.com/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus