HIO-2008-1110 ActiveCampaign TrioLive SQLi & XSS
ActiveCampaign 's TrioLive , "live chat for your website", exhibits SQL injection and cross-site scripting vulnerabilities.
SQLi occurs where the "department_id" variable doesn't properly sanitize input submitted to the index.php script.
This may allow an attacker to inject or manipulate SQL queries in the backend database.
Cross-site scripting occurs where the "department_id" variable doesn't properly sanitize input submitted to the index.php script.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
The vendor has issued TrioLive 1.58.7 to mitigate this vulnerability.
CVE-2008-5055 & 5056
OSVDB: 49825 & 49858
Vendor Solution: Update