Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormOwais MehtabPACKETSTORM:125528
HistoryMar 04, 2014 - 12:00 a.m.

ClickDesk 4.3 Cross Site Scripting

2014-03-0400:00:00
Owais Mehtab
packetstormsecurity.com
17

0.002 Low

EPSS

Percentile

55.0%

JSON
`ClickDesk Multiple Persistent XSS  
  
Details  
========================================================================================  
Product: ClickDesk a [ cross platform live chat and support plugin ]  
Security-Risk: High  
Remote-Exploit: yes  
Vendor-URL: https://www.clickdesk.com/  
Advisory-Status: NotPublished  
  
Credits  
========================================================================================  
Discovered by: Owais Mehtab  
Greets To: Mirza Burhan Baig, Muhammad Waqar, Muhammad Ali Baloch, Navaid Zafar Ansari  
  
Affected Products:  
========================================================================================  
ClickDesk <=4.3  
Tested on wordpress 3.8.1  
  
Description  
========================================================================================  
"Live Chat Plugin"  
  
More Details  
========================================================================================  
I have discsovered a persistent Cross site scripting (XSS) inside  
ClickDesk,the vulnerability can be easily exploited and can be used to steal cookies,  
perform phishing attacks and other various attacks compromising the security of a  
user.  
  
Proof of Concept  
========================================================================================  
1-Live Chat XSS  
---------------  
go to any website having ClickDesk Live Chat installed,  
  
  
Click on the "Live Chat widget" and set the below vector in name field  
  
"><img src=O onerror=prompt(document.cookie);>  
  
Now click on initiate chat   
  
Wollah.. here you go with your own Cookie!  
  
  
2-Email XSS  
-----------  
go to any website having ClickDesk Live Chat installed,  
  
Click on the "Live Chat widget", this time select the email option and set the below vector in message field  
  
"><img src=O onerror=prompt(document.cookie);>  
  
Now Click on submit  
  
Wollah.. again here you go with your own Cookie!  
  
  
  
Solution  
========================================================================================  
Edit the source code to ensure that input is properly sanitised.  
  
  
--   
Regards,  
Owais Mehtab  
`

Related

cvelist 1
nvd 1
prion 1
cve 1
cvelist
cvelist
CVE-2014-9211
2020-01-14 13:54:47
nvd
nvd
CVE-2014-9211
2020-01-14 14:15:11
prion
prion
Cross site scripting
2020-01-14 14:15:00
cve
cve
CVE-2014-9211
2020-01-14 14:15:11

0.002 Low

EPSS

Percentile

55.0%

JSON
Related for PACKETSTORM:125528
cvelist1nvd1prion1cve1