CVE-2013-7385

Name of the Vulnerable Software and Affected Versions LiveZilla versions 5.1.2.1 and earlier

Description The issue allows remote attackers to obtain sensitive information and gain privileges by accessing the loginName and loginPassword variables using an independent cross-site scripting (XSS) attack. This is possible because the MD5 hash of the operator password is included in plaintext in Javascript code generated by "lz/mobile/chat.php".

Recommendations For LiveZilla versions 5.1.2.1 and earlier, consider disabling access to the "lz/mobile/chat.php" endpoint until a fix is available to prevent exploitation. Restrict access to the loginName and loginPassword variables to minimize the risk of sensitive information disclosure.