Add your offcanvas content in here

The Company

Portfolio

Overview Application Security

Simplifying your IT-security journey.

Knowledge & News

LiveConfig 2.12.2 vulnerabilities

March 2, 2022 |
Tags: Pentesting
Kategorie: CVE News

Security vulnerabilities closed in LiveConfig

Hosting and administration platforms like LiveConfig are a central component of many digital business processes. This makes it all the more crucial to identify and close potential security gaps early on. In LiveConfig up to and including version 2.12.2, we discovered two serious vulnerabilities: an XSS vulnerability in the search function and a path traversal vulnerability in log files.

Due to the faulty handling of user inputs, administrators or resellers could store malicious JavaScript code as customer data via the search function and execute it in the interface, a gateway that poses risks even in privileged environments. In addition, the path traversal vulnerability allowed authenticated attackers to access files outside the intended directories, allowing them to view sensitive information from the server.

Following our notification, the manufacturer fixed both security vulnerabilities in version 2.13.0. In this article, we will examine how these vulnerabilities worked in detail, what impact they could have had, and how you can best protect your hosting environment. Benefit from our expertise and work with us to ensure the security of your business-critical systems.

Two security vulnerabilities were discovered in the LiveConfig 2.12.2 software. We reported both to the software manufacturer, and they were fixed in version 2.13.0.

Stored XSS

Description

LiveConfig up to version 2.12.2 is vulnerable to stored cross-site scripting due to missing output encryption of search results. An administrator or reseller user can store arbitrary JavaScript code as customer data, which is executed when displayed via the search function.

Affected component: /liveconfig/search

Attack type: Remote

Impact Escalation of permissions: false

Impact of Information Disclosure: false

Attack Vectors: To exploit the vulnerability, an attacker requires administrator or reseller accounts.

Reference: https://www.liveconfig.com/en/changelog/

Path Traversal

Description

A path traversal vulnerability for log files in LiveConfig up to version 2.12.2 allows authenticated attackers to read files on the underlying server.

Affected Component: /liveconfig/hosting/webspace

Attack type: Remote

Impact of Information Disclosure: true

Attack Vectors: To exploit the vulnerability, an attacker requires a user account.

Reference: https://www.liveconfig.com/en/changelog/

The author

Anja Donaubauer