Ari034

**Name of the Vulnerable Software and Affected Versions** LiveZilla Live Chat version 8.0.1.3 **Description** A blind JavaScript injection issue exists in the `name` parameter of the chat.php file. This can lead to a privilege escalation from unauthenticated to user-level access, resulting in full account takeover. The issue allows the fetching of helpdesk employees' usernames and passwords, which are stored in the database, due to a stored XSS vulnerability. This affects the mobile/chat URI via the `lgn` and `psswrd` parameters. **Recommendations** For LiveZilla Live Chat version 8.0.1.3, consider disabling the `name` parameter in the chat.php file as a temporary workaround until a patch is available. Restrict access to the mobile/chat URI to minimize the risk of exploitation. Avoid using the `lgn` and `psswrd` parameters in the affected API endpoint until the issue is resolved.