Product: eGain Chat (Version 15.0.3)
Bug: HTML Injection
Reported on: 11 October 2018
Vendor Fixed Issue: 21 November 2018
It was observed that eGian chat is prone to an HTML-injection vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, to conduct spoofing attacks or redirect the user to a malicious website.
Create the login page within the chatbox of an agent that looked exactly like the login window when he first time logged in. The message was displayed that “Login again, to continue the chat”.
When the agent entered his credentials, the user id and password was sent to the local attacker’s machine.
- Steal the credentials of an agent.
- Redirect the agents to malicious sites.
- Content spoofing and web interface defacement.
Solutions offered and implemented by a vendor:
- Sanitize input given by the customer as well as agents in the chatbox.
- Disable hyperlinks in the chatbox.
- Allow only plain texts in the chatbox.
More detail is available at https://cve.mitre.org