Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LiveZilla 5.1.2.0 Insecure Password Storage

🗓️ 16 Dec 2013 00:00:00Reported by Jakub ZoczekType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

LiveZilla 5.1.2.0 insecure password storage, XSS attack vulnerability, fixed in version 5.1.2.

Related
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2013-7033
19 May 201414:00
cve
Cvelist		CVE-2013-7033
19 May 201414:00
cvelist
EUVD		EUVD-2013-6834
7 Oct 202500:30
euvd
Tenable Nessus		LiveZilla < 5.1.2.1 Multiple Vulnerabilities
18 Dec 201300:00
nessus
NVD		CVE-2013-7033
19 May 201414:55
nvd
OpenVAS		LiveZilla Password Disclosure Vulnerability
19 Feb 201400:00
openvas
Prion		Cross site scripting
19 May 201414:55
prion
Prion		Cross site scripting
19 May 201414:55
prion
RedhatCVE		CVE-2013-7385
22 May 202504:08
redhatcve
securityvulns		LiveZilla 5.1.2.0 Insecure password storage
9 Jan 201400:00
securityvulns
Rows per page
`Author: Jakub Zoczek [[email protected]]  
CVE Reference: CVE-2013-7033  
Product: LiveZilla   
Vendor: LiveZilla GmbH [http://livezilla.net]  
Affected version: 5.1.2.0  
Severity: Medium  
CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)  
Status: Partly fixed  
  
0x01 Background  
  
LiveZilla, the widely-used and trusted Live Help and Live Support System.  
  
0x02 Description  
  
LiveZilla in version 5.1.2.0 is prone to insecure password storage. Attacker using for example XSS attack is able to get currently logged operator's username and password string (plaintext).  
  
0x03 Proof of Concept  
  
alert('User: ' + loginName + ' password: ' + loginPassword);  
  
http://postimg.org/image/vvw7e2zoz/  
  
0x04 Fix  
  
Vulnerability was partly fixed in LiveZilla 5.1.2.1 version. Now passwords are stored as md5 hash, but it's still accesable from javascript.   
  
0x05 Timeline  
  
08.12.2013 - Vendor notified  
09.12.2013 - Vendor responded with informations about planned release   
10.12.2013 - Version 5.1.2.1 released  
15.12.2013 - Public Disclosure  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Dec 2013 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.0025
livezillapassword storagexss attackversion 5.1.2.0vulnerabilityversion 5.1.2.1md5 hashjavascript accessvendor notificationpublic disclosure
30