HTML Injection: CVE-2019–13975

InfoSec Brothers
Jul 29 · 1 min read

Product: eGain Chat (Version 15.0.3)

Vendor: eGain

Vendor URL:

Bug: HTML Injection

Exploitable: Yes

Reported on: 11 October 2018

Vendor Fixed Issue: 21 November 2018


It was observed that eGian chat is prone to an HTML-injection vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, to conduct spoofing attacks or redirect the user to a malicious website.

Simple bold tag for demonstration <b>hello123456789</b>


Create the login page within the chatbox of an agent that looked exactly like the login window when he first time logged in. The message was displayed that “Login again, to continue the chat”.

When the agent entered his credentials, the user id and password was sent to the local attacker’s machine.

Business Risks:

  1. Steal the credentials of an agent.
  2. Redirect the agents to malicious sites.
  3. Content spoofing and web interface defacement.

Solutions offered and implemented by a vendor:

  1. Sanitize input given by the customer as well as agents in the chatbox.
  2. Disable hyperlinks in the chatbox.
  3. Allow only plain texts in the chatbox.

More detail is available at

Thank you!!!!!!!!!!

InfoSec Brothers

Written by

We are — Security Consultants, Ethical Hackers, Penetration Testers, Bug Bounty Hunters; Proud sons, Good friends! Twitter: @Wa_sim_sim, @Mo_Hasiin

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade