CVE-2020-9758

Name of the Vulnerable Software and Affected Versions LiveZilla Live Chat version 8.0.1.3

Description A blind JavaScript injection issue exists in the name parameter of the chat.php file. This can lead to a privilege escalation from unauthenticated to user-level access, resulting in full account takeover. The issue allows the fetching of helpdesk employees' usernames and passwords, which are stored in the database, due to a stored XSS vulnerability. This affects the mobile/chat URI via the lgn and psswrd parameters.

Recommendations For LiveZilla Live Chat version 8.0.1.3, consider disabling the name parameter in the chat.php file as a temporary workaround until a patch is available. Restrict access to the mobile/chat URI to minimize the risk of exploitation. Avoid using the lgn and psswrd parameters in the affected API endpoint until the issue is resolved.