LiveZilla version 5.1.0.0 suffers from a cross site scripting vulnerability.
2d58a7c963f843de0f7080cdcb74296301d566ae2274c326ee6d3954ecf4fe22
Author: Jakub Zoczek [zoczus@gmail.com]
CVE Reference: CVE-2013-7002
Product: LiveZilla
Vendor: LiveZilla GmbH [http://livezilla.net]
Affected version: 5.1.0.0
Severity: Medium
CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Status: Fixed
0x01 Background
LiveZilla, the widely-used and trusted Live Help and Live Support System.
0x02 Description
LiveZilla in version 5.1.0.0 is prone to Reflected Cross-Site Scripting issue in translation PHP script used to generate JSON with connections between origin and destination languages. Content type is text/html and g_language GET variable is displayed without sanitization, which make the script vulnerable.
0x03 Proof of Concept
http://hostname/livezilla/mobile/php/translation/index.php?g_language=f"><img src=a onerror=alert('XSS')>h
0x04 Fix
Vulnerability was fixed in LiveZilla 5.1.1.0 version.
0x05 Timeline
20.11.2013 - Vendor notified
21.11.2013 - Fix released, vendor responded
09.12.2013 - Public Disclosure