PT-2014-3409 · Livezilla · Livezilla

Published

2014-05-19

Updated

2014-05-20

CVE-2013-7385

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions LiveZilla versions 5.1.2.1 and earlier

Description The issue allows remote attackers to obtain sensitive information and gain privileges by accessing the loginName and loginPassword variables using an independent cross-site scripting (XSS) attack. This is possible because the MD5 hash of the operator password is included in plaintext in Javascript code generated by "lz/mobile/chat.php".

Recommendations For LiveZilla versions 5.1.2.1 and earlier, consider disabling access to the "lz/mobile/chat.php" endpoint until a fix is available to prevent exploitation. Restrict access to the loginName and loginPassword variables to minimize the risk of sensitive information disclosure.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

CVE-2013-7385

Affected Products

Livezilla

PT-2014-3409 · Livezilla · Livezilla

CVE-2013-7385

Weakness Enumeration

Related Identifiers

Affected Products

References · 3