MidnightBSD

Advisories for livezilla

CVE-2010-4276 MEDIUM

Cross-site scripting (XSS) vulnerability in the lz_tracking_set_sessid function in templates/jscript/jstrack.tpl in LiveZilla 3.2.0.2 allows remote attackers to inject arbitrary web script or HTML via the livezilla parameter in a track action to server.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla 3.2.0.2
CVE-2013-6223 LOW

LiveZilla before 5.1.1.0 stores the admin Base64 encoded username and password in a 1click file, which allows local users to obtain access by reading the file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
livezilla livezilla 4.1.0.4
livezilla livezilla 4.2.0.4
livezilla livezilla 4.0.1.2
livezilla livezilla 5.0.1.2
livezilla livezilla 5.0.1.0
livezilla livezilla 4.1.0.3
livezilla livezilla 5.0.1.3
livezilla livezilla 5.0.1.1
livezilla livezilla 5.0.1.4
livezilla livezilla 4.0.1.0
livezilla livezilla 3.1.8.3
livezilla livezilla 3.2.0.2
livezilla livezilla *
livezilla livezilla 4.0.1.1
livezilla livezilla 4.2.0.5
CVE-2013-6224 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in LiveZilla before 5.1.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) a name in the call administrator feature, (2) unspecified vectors to the admins visitor information panel, or (3) a text message in a chat session, which is saved in the archive section.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla 4.1.0.4
livezilla livezilla 4.2.0.4
livezilla livezilla 4.0.1.2
livezilla livezilla 5.0.1.2
livezilla livezilla 5.0.1.0
livezilla livezilla 4.1.0.3
livezilla livezilla 5.0.1.3
livezilla livezilla 5.0.1.1
livezilla livezilla 5.0.1.4
livezilla livezilla 4.0.1.0
livezilla livezilla 3.1.8.3
livezilla livezilla 3.2.0.2
livezilla livezilla *
livezilla livezilla 4.0.1.1
livezilla livezilla 4.2.0.5
CVE-2013-6225 HIGH

LiveZilla 5.0.1.4 has a Remote Code Execution vulnerability

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
livezilla livezilla 5.0.1.4
CVE-2013-7002 MEDIUM

Cross-site scripting (XSS) vulnerability in mobile/php/translation/index.php in LiveZilla before 5.1.1.0 allows remote attackers to inject arbitrary web script or HTML via the g_language parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla 4.1.0.4
livezilla livezilla 4.2.0.4
livezilla livezilla 4.0.1.2
livezilla livezilla 5.0.1.2
livezilla livezilla 5.0.1.0
livezilla livezilla 4.1.0.3
livezilla livezilla 5.0.1.3
livezilla livezilla 5.0.1.1
livezilla livezilla 5.0.1.4
livezilla livezilla 4.0.1.0
livezilla livezilla 3.1.8.3
livezilla livezilla 3.2.0.2
livezilla livezilla *
livezilla livezilla 4.0.1.1
livezilla livezilla 4.2.0.5
CVE-2013-7003 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in LiveZilla before 5.1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) full name field, (2) company field, or (3) filename to chat.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla 4.1.0.4
livezilla livezilla 5.1.0.0
livezilla livezilla 4.2.0.4
livezilla livezilla 4.0.1.2
livezilla livezilla 5.0.1.2
livezilla livezilla 5.0.1.0
livezilla livezilla 4.1.0.3
livezilla livezilla 5.0.1.3
livezilla livezilla 5.0.1.1
livezilla livezilla 5.0.1.4
livezilla livezilla 4.0.1.0
livezilla livezilla 3.1.8.3
livezilla livezilla 3.2.0.2
livezilla livezilla *
livezilla livezilla 4.0.1.1
livezilla livezilla 4.2.0.5
CVE-2013-7032 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the web based operator client in LiveZilla before 5.1.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name of an uploaded file or (2) customer name in a resource created from an uploaded file, a different vulnerability than CVE-2013-7003.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla 4.1.0.4
livezilla livezilla 5.1.0.0
livezilla livezilla 4.2.0.4
livezilla livezilla 4.0.1.2
livezilla livezilla 5.0.1.2
livezilla livezilla 5.0.1.0
livezilla livezilla 4.1.0.3
livezilla livezilla 5.0.1.3
livezilla livezilla 5.0.1.1
livezilla livezilla 5.0.1.4
livezilla livezilla 4.0.1.0
livezilla livezilla 3.1.8.3
livezilla livezilla 3.2.0.2
livezilla livezilla *
livezilla livezilla 4.0.1.1
livezilla livezilla 4.2.0.5
livezilla livezilla 5.1.1.0
CVE-2013-7033 MEDIUM

LiveZilla before 5.1.2.1 includes the operator password in plaintext in Javascript code that is generated by lz/mobile/chat.php, which might allow remote attackers to obtain sensitive information and gain privileges by accessing the loginName and loginPassword variables using an independent cross-site scripting (XSS) attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
livezilla livezilla 5.0.1.3
livezilla livezilla 5.1.0.0
livezilla livezilla 5.0.1.1
livezilla livezilla 5.0.1.4
livezilla livezilla *
livezilla livezilla 5.0.1.2
livezilla livezilla 5.0.1.0
livezilla livezilla 5.1.1.0
CVE-2013-7034 HIGH

The setCookieValue function in _lib/functions.global.inc.php in LiveZilla before 5.1.2.1 allows remote attackers to execute arbitrary PHP code via a serialized PHP object in a cookie.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
livezilla livezilla 4.1.0.4
livezilla livezilla 5.1.0.0
livezilla livezilla 4.2.0.4
livezilla livezilla 4.0.1.2
livezilla livezilla 5.0.1.2
livezilla livezilla 5.0.1.0
livezilla livezilla 4.1.0.3
livezilla livezilla 5.0.1.3
livezilla livezilla 5.0.1.1
livezilla livezilla 5.0.1.4
livezilla livezilla 4.0.1.0
livezilla livezilla 3.1.8.3
livezilla livezilla 3.2.0.2
livezilla livezilla *
livezilla livezilla 4.0.1.1
livezilla livezilla 4.2.0.5
livezilla livezilla 5.1.1.0
CVE-2013-7385 MEDIUM

LiveZilla 5.1.2.1 and earlier includes the MD5 hash of the operator password in plaintext in Javascript code that is generated by lz/mobile/chat.php, which allows remote attackers to obtain sensitive information and gain privileges by accessing the loginName and loginPassword variables using an independent cross-site scripting (XSS) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7033.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
livezilla livezilla 5.0.1.3
livezilla livezilla 5.1.0.0
livezilla livezilla 5.0.1.1
livezilla livezilla 5.0.1.4
livezilla livezilla 5.1.2.0
livezilla livezilla *
livezilla livezilla 5.0.1.2
livezilla livezilla 5.0.1.0
livezilla livezilla 5.1.1.0
CVE-2017-15869 MEDIUM

Cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZilla before 7.0.8.9 allows remote attackers to inject arbitrary web script or HTML via the search-for parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla *
CVE-2018-10810 MEDIUM

chat/mobile/index.php in LiveZilla Live Chat 7.0.9.5 and prior is affected by Cross-Site Scripting via the Accept-Language HTTP header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla *
CVE-2019-12939 HIGH

LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in server.php via the p_ext_rse parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
livezilla livezilla *
CVE-2019-12940 HIGH

LiveZilla Server before 8.0.1.1 is vulnerable to Denial Of Service (memory consumption) in knowledgebase.php via a large integer value of the depth parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-770,

Products Affected

Vendor Product Version
livezilla livezilla *
CVE-2019-12960 HIGH

LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in functions.internal.build.inc.php via the parameter p_dt_s_d.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
livezilla livezilla *
CVE-2019-12961 MEDIUM

LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1236,

Products Affected

Vendor Product Version
livezilla livezilla *
CVE-2019-12962 MEDIUM

LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla *
CVE-2019-12963 MEDIUM

LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the chat.php Create Ticket Action.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla *
CVE-2019-12964 MEDIUM

LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the ticket.php Subject.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla *
CVE-2020-9758 MEDIUM

An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (Helpdesk). A blind JavaScript injection lies in the name parameter. Triggering this can fetch the username and passwords of the helpdesk employees in the URI. This leads to a privilege escalation, from unauthenticated to user-level access, leading to full account takeover. The attack fetches multiple credentials because they are stored in the database (stored XSS). This affects the mobile/chat URI via the lgn and psswrd parameters.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
livezilla livezilla *