ActiveCampaign 's TrioLive , "live chat for your website", exhibits SQL injection and cross-site scripting vulnerabilities.

SQLi occurs where the "department_id" variable doesn't properly sanitize input submitted to the index.php script.
This may allow an attacker to inject or manipulate SQL queries in the backend database.

Cross-site scripting occurs where the "department_id" variable doesn't properly sanitize input submitted to the index.php script.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

The vendor has issued TrioLive 1.58.7 to mitigate this vulnerability.

References:

CVE-2008-5055 & 5056

BID: 32268

FrSIRT: 3125

Nessus: Pending

OSVDB: 49825 & 49858

SA: 32703

XF: 46557

Vendor Solution: Update