Vulners
Lucene search
LiveZilla 7.0.6.0 Cross Site Scripting
🗓️ 16 Jan 2018 00:00:00Reported by Tim KretschmannType 
packetstorm🔗 packetstormsecurity.com👁 64 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | LiveZilla knowledgebase.php file cross-site scripting vulnerability | 18 Jan 201800:00 | – | cnvd |
 | CVE-2017-15869 | 18 Jan 201814:00 | – | cve |
 | CVE-2017-15869 | 18 Jan 201814:00 | – | cvelist |
 | EUVD-2017-7291 | 7 Oct 202500:30 | – | euvd |
 | CVE-2017-15869 | 18 Jan 201814:29 | – | nvd |
 | LiveZilla 'knowledgebase.php' Cross Site Scripting Vulnerability | 12 Feb 201800:00 | – | openvas |
 | CVE-2017-15869 | 18 Jan 201814:29 | – | osv |
 | Cross site scripting | 18 Jan 201814:29 | – | prion |
`1. ADVISORY SUMMARY
LiveZilla - Cross-site scripting (XSS) vulnerability in knowledgebase.php
Risk: Medium
Application: LiveZilla
Versions Affected: 7.0.6.0
Vendor: LiveZilla GmbH
Vendor URL: https://www.livezilla.net/
Sent to vendor: 04.12.2017
Vendor response: Acknowledge 04.12.2017
Published fixed Release by vendor: 15.12.2017 (7.0.8.9)
Date of Public Advisory: 16.01.2018
Advisory URL: https://www.pallas.com/advisories/cve-2017-15869-livezilla-xss-knowledgebase
Author: Tim Kretschmann (Pallas GmbH)
Version and State of report: 1.0 (16.01.2018) - published
2. VULNERABILITY INFORMATION
A cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZilla 7.0.6.0 allow remote attackers to inject arbitrary web script or HTML via the search-for parameter.
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2017-15869
CVSS Base Score v2: 6.1 / 10
CVSS Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
3. VULNERABILITY DESCRIPTION
A cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZilla 7.0.6.0 allow remote attackers to inject arbitrary web script or HTML via the search-for parameter.
4. SOLUTIONS AND WORKAROUNDS
Update to Release 7.0.8.9 or higher (Dec 2017)
No possible workaround before 7.0.8.9
5. AUTHOR
Tim Kretschmann (Pallas GmbH)
6. TECHNICAL DESCRIPTION / PROOF OF CONCEPT (PoC)
Attack Vector:
/knowledgebase.php?entry=show&searchfor=ae2w1%22onfocus%3d%22alert(1)%22autofocus%3d%22bvofh&article=<IfOfArticle>
7. TIMELINE
04.12.2017 - E-Mail with Bug Information to LiveZilla
04.12.2017 - Acknowledged the bug
15.12.2017 LiveZilla published Release 7.0.8.9 (see https://www.livezilla.net/changelog/en/)
16.01.2018 Pallas published Advisory
8. ABOUT PALLAS GMBH
Pallas provides security consulting, pentesting, managed security services and hosting services with focus on security.
Adress: Pallas GmbH, Hermuelheimer Strasse 8a, 50321 Bruehl, GERMANY
Phone: 0049.2232.18960
Fax: 0049.2232.198629
Web: https://www.pallas.com/
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jan 2018 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.00388