PT-2020-13810 · Enghouse · Enghouse Web Chat

Burninator

Published

2020-09-03

Updated

2020-09-08

CVE-2020-13972

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Enghouse Web Chat version 6.2.284.34

Description The issue allows for cross-site scripting (XSS) when a user enters their own domain name in the WebServiceLocation parameter. The response from the POST request is displayed, and any JavaScript returned from the external server is executed in the browser.

Recommendations For Enghouse Web Chat version 6.2.284.34, consider restricting access to the WebServiceLocation parameter to prevent external JavaScript execution until a fix is available. Avoid using the WebServiceLocation parameter with external domain names to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-13972

Affected Products

Enghouse Web Chat

PT-2020-13810 · Enghouse · Enghouse Web Chat

CVE-2020-13972

Weakness Enumeration

Related Identifiers

Affected Products

References · 3