0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
eGain Chat 15.5.5 Cross Site Scripting Vulnerability
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: eGain Chat 15.5.5 Cross-Site Scripting # Vendor Homepage: https://www.egain.com/ # Software Link: https://www.egain.com/chat-software/ # Exploit Authors: Brandon Ming Yang Ho (https://www.linkedin.com/in/minhobrandon/), Hassy Vinod Eshan (https://www.linkedin.com/in/hassy-vinod/) # CVE: CVE-2020-15948 # Timeline - June 2020: Initial vulnerability discovery - July 2020: Reported to eGain Corporation - August 2020: Fix/patch provided by eGain Corporation - September 2020: Public disclosure notified to eGain Corporation - July 2021: Published CVE-2020-15948 # 1. Introduction eGain Chat is a real time chat assistance solution by eGain Corporation for website visitors to communicate with chat agents. # 2. Vulnerability Details eGain Chat version 15.5.5 is vulnerable to reflected Cross-Site Scripting (Reflected XSS). The “Name” input field (full_name) does not fully sanitise user input for special characters such as “<” or “>” and HTML attributes such as “<a href>”. It is possible for an attacker to bypass filtering and create malicious scripts. Once the response has been rendered, the malicious JavaScript code would be executed. # 3. Proof of Concept The “Name” input field (full_name) of the chat window can be injected with the following XSS payload as a Proof of Concept to execute a javascript alert popup. Payload - <a href="javascript:alert(document.domain)">click</a> # 4. Remediation Apply the latest fix/patch from eGain Corporation. # 5. Credits - Brandon Ming Yang Ho (https://www.linkedin.com/in/minhobrandon/) - Hassy Vinod Eshan (https://www.linkedin.com/in/hassy-vinod/) # 0day.today [2024-12-24] #