CVE-2020-9758 in LiveZilla Live Chat
Summary
by MITRE
An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (Helpdesk). A blind JavaScript injection lies in the name parameter. Triggering this can fetch the username and passwords of the helpdesk employees in the URI. This leads to a privilege escalation, from unauthenticated to user-level access, leading to full account takeover. The attack fetches multiple credentials because they are stored in the database (stored XSS). This affects the mobile/chat URI via the lgn and psswrd parameters.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
The vulnerability identified in CVE-2020-9758 represents a critical security flaw within LiveZilla Live Chat version 8.0.1.3 that affects the chat.php component and specifically targets the helpdesk functionality. This issue constitutes a blind javascript injection vulnerability that resides within the name parameter processing, creating a pathway for unauthorized access to sensitive user credentials. The vulnerability's severity is amplified by its ability to facilitate privilege escalation from unauthenticated status to full user-level access, ultimately enabling complete account takeover capabilities. The flaw operates through the mobile/chat URI endpoint and leverages the lgn and psswrd parameters to execute malicious code that can extract authentication credentials from the system.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the chat.php script, which fails to properly escape or filter user-supplied data passed through the name parameter. This allows attackers to inject malicious javascript code that executes in the context of the victim's browser session. According to CWE classification, this vulnerability maps to CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') as it enables both stored cross-site scripting and credential theft through database manipulation. The vulnerability operates under the ATT&CK framework as T1078 - Valid Accounts and T1566 - Phishing, where attackers can leverage stolen credentials to maintain persistent access to helpdesk systems.
The operational impact of this vulnerability extends beyond simple credential theft, as it creates a persistent threat vector that can compromise multiple user accounts simultaneously. The stored XSS component allows the malicious payload to persist in the database, meaning that every user who interacts with the vulnerable system can become a victim of the attack. This creates a cascading effect where initial access can quickly escalate to compromise multiple helpdesk employees' accounts, potentially leading to complete system compromise. The vulnerability affects the mobile/chat URI endpoint, which suggests that mobile applications or mobile-optimized web interfaces are also at risk, expanding the attack surface significantly.
The exploitation process begins with an attacker crafting a malicious payload targeting the name parameter in the chat.php script, which then gets stored in the database. When other users access the vulnerable system, their browsers execute the malicious javascript code, which can then extract stored credentials and transmit them to the attacker's server. This mechanism allows for automated credential harvesting without requiring direct user interaction beyond visiting the vulnerable page. The attack's effectiveness is further enhanced by the fact that helpdesk employees typically have elevated privileges within the system, making successful exploitation particularly damaging for organizations relying on LiveZilla for customer support operations.
Organizations should implement immediate mitigations including input validation and sanitization measures that properly escape special characters in all user-supplied data, particularly in parameters used for dynamic content generation. The implementation of proper content security policies and input filtering mechanisms can prevent the execution of malicious javascript code. Additionally, organizations should consider implementing web application firewalls to detect and block suspicious parameter values, and conduct regular security assessments to identify similar vulnerabilities in other components of their helpdesk systems. The vulnerability underscores the importance of secure coding practices and proper output encoding to prevent cross-site scripting attacks that can lead to privilege escalation and credential theft.