HTML Injection: CVE-2019–13975

Product: eGain Chat (Version 15.0.3)

Vendor: eGain

Vendor URL: http://www.egain.com/products/live-chat-software/

Bug: HTML Injection

Exploitable: Yes

Reported on: 11 October 2018

Vendor Fixed Issue: 21 November 2018

Description:

It was observed that eGian chat is prone to an HTML-injection vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, to conduct spoofing attacks or redirect the user to a malicious website.

Simple bold tag for demonstration <b>hello123456789</b>

Exploit:

Create the login page within the chatbox of an agent that looked exactly like the login window when he first time logged in. The message was displayed that “Login again, to continue the chat”.

When the agent entered his credentials, the user id and password was sent to the local attacker’s machine.

Business Risks:

1. Steal the credentials of an agent.
2. Redirect the agents to malicious sites.
3. Content spoofing and web interface defacement.

Solutions offered and implemented by a vendor:

1. Sanitize input given by the customer as well as agents in the chatbox.
2. Disable hyperlinks in the chatbox.
3. Allow only plain texts in the chatbox.

More detail is available at https://cve.mitre.org

Thank you!!!!!!!!!!