CVE-2013-7033

Name of the Vulnerable Software and Affected Versions LiveZilla versions prior to 5.1.2.1

Description The issue allows remote attackers to obtain sensitive information and gain privileges by accessing the loginName and loginPassword variables using an independent cross-site scripting (XSS) attack. This is possible because the operator password is included in plaintext in Javascript code generated by the /lz/mobile/chat.php endpoint.

Recommendations For versions prior to 5.1.2.1, update to version 5.1.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /lz/mobile/chat.php endpoint to minimize the risk of exploitation. Avoid using the loginName and loginPassword variables in the affected Javascript code until the issue is resolved.