Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

LiveZilla 7.0.6.0 Cross Site Scripting

🗓️ 16 Jan 2018 00:00:00Reported by Tim KretschmannType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 53 Views

LiveZilla 7.0.6.0 Cross Site Scripting vulnerability in knowledgebase.php. Medium risk. Update to Release 7.0.8.9 or higher required

Show more
Related
Code
ReporterTitlePublishedViews
Family
OpenVAS		LiveZilla 'knowledgebase.php' Cross Site Scripting Vulnerability
12 Feb 201800:00
openvas
NVD		CVE-2017-15869
18 Jan 201814:29
nvd
Prion		Cross site scripting
18 Jan 201814:29
prion
CVE		CVE-2017-15869
18 Jan 201814:29
cve
Cvelist		CVE-2017-15869
18 Jan 201814:00
cvelist
`1. ADVISORY SUMMARY  
  
LiveZilla - Cross-site scripting (XSS) vulnerability in knowledgebase.php  
  
Risk: Medium  
  
Application: LiveZilla  
Versions Affected: 7.0.6.0  
Vendor: LiveZilla GmbH  
Vendor URL: https://www.livezilla.net/  
  
Sent to vendor: 04.12.2017  
Vendor response: Acknowledge 04.12.2017  
Published fixed Release by vendor: 15.12.2017 (7.0.8.9)  
Date of Public Advisory: 16.01.2018  
  
Advisory URL: https://www.pallas.com/advisories/cve-2017-15869-livezilla-xss-knowledgebase  
Author: Tim Kretschmann (Pallas GmbH)  
Version and State of report: 1.0 (16.01.2018) - published  
  
  
2. VULNERABILITY INFORMATION  
  
A cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZilla 7.0.6.0 allow remote attackers to inject arbitrary web script or HTML via the search-for parameter.   
  
Remotely Exploitable: Yes  
Locally Exploitable: No  
CVE: CVE-2017-15869  
CVSS Base Score v2: 6.1 / 10  
CVSS Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
  
  
3. VULNERABILITY DESCRIPTION  
  
A cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZilla 7.0.6.0 allow remote attackers to inject arbitrary web script or HTML via the search-for parameter.   
  
  
4. SOLUTIONS AND WORKAROUNDS  
  
Update to Release 7.0.8.9 or higher (Dec 2017)  
No possible workaround before 7.0.8.9  
  
  
5. AUTHOR  
  
Tim Kretschmann (Pallas GmbH)  
  
  
6. TECHNICAL DESCRIPTION / PROOF OF CONCEPT (PoC)   
  
Attack Vector:  
/knowledgebase.php?entry=show&searchfor=ae2w1%22onfocus%3d%22alert(1)%22autofocus%3d%22bvofh&article=<IfOfArticle>   
  
  
7. TIMELINE  
  
04.12.2017 - E-Mail with Bug Information to LiveZilla  
04.12.2017 - Acknowledged the bug  
15.12.2017 LiveZilla published Release 7.0.8.9 (see https://www.livezilla.net/changelog/en/)  
16.01.2018 Pallas published Advisory  
  
  
8. ABOUT PALLAS GMBH  
  
Pallas provides security consulting, pentesting, managed security services and hosting services with focus on security.  
Adress: Pallas GmbH, Hermuelheimer Strasse 8a, 50321 Bruehl, GERMANY  
Phone: 0049.2232.18960  
Fax: 0049.2232.198629  
Web: https://www.pallas.com/  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
16 Jan 2018 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.001
livezillacross site scriptingxss vulnerabilitymedium riskupdaterelease 7.0.8.9knowledgebase.phpremote attackerscve-2017-15869pallas gmbhadvisory.
53
.json
Report