vendor:
LiveZilla Server
by:
Clément Cruchet
6.1
CVSS
MEDIUM
Reflected XSS
79
CWE
Product Name: LiveZilla Server
Affected Version From: LiveZilla Server 8.0.1.0
Affected Version To: 8.0.1.0
Patch Exists: NO
Related CWE: CVE-2019-12962
CPE: a:livezilla:livezilla_server:8.0.1.0
Tags: xss,edb,packetstorm,cve,cve2019,livezilla
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Nuclei References:
https://www.exploit-db.com/exploits/49669, https://forums.livezilla.net/index.php?/topic/10984-fg-vd-19-083085087-livezilla-server-are-vulnerable-to-cross-site-scripting-in-admin-panel/, http://packetstormsecurity.com/files/161867/LiveZilla-Server-8.0.1.0-Cross-Site-Scripting.html, https://nvd.nist.gov/vuln/detail/CVE-2019-12962
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.html:LiveZilla', 'verified': True, 'vendor': 'livezilla', 'product': 'livezilla'}
Platforms Tested: Windows, Linux
2021
LiveZilla Server 8.0.1.0 – ‘Accept-Language’ Reflected XSS
The vulnerability allows an attacker to inject malicious code into the 'Accept-Language' header field, which is reflected back in the response. By crafting a specially crafted payload, an attacker can execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, credential theft, or other malicious activities.
Mitigation:
To mitigate this vulnerability, it is recommended to sanitize and validate user input, particularly in HTTP header fields. Implementing appropriate input validation and output encoding techniques can help prevent XSS attacks.
