eGain Chat 15.5.5 Cross Site Scripting

CVE Category Price Severity
CVE-2020-15948 CWE-79 $5000 High
Author Risk Exploitation Type Date
Unknown High Remote 2021-08-01
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

eGain Chat 15.5.5 Cross Site Scripting
# Exploit Title: eGain Chat 15.5.5 Cross-Site Scripting
# Vendor Homepage:
# Software Link:
# Exploit Authors: Brandon Ming Yang Ho (, Hassy Vinod Eshan (
# CVE: CVE-2020-15948

# Timeline

- June 2020: Initial vulnerability discovery
- July 2020: Reported to eGain Corporation
- August 2020: Fix/patch provided by eGain Corporation
- September 2020: Public disclosure notified to eGain Corporation
- July 2021: Published CVE-2020-15948

# 1. Introduction

eGain Chat is a real time chat assistance solution by eGain Corporation for website visitors to communicate with chat agents.

# 2. Vulnerability Details

eGain Chat version 15.5.5 is vulnerable to reflected Cross-Site Scripting (Reflected XSS).

The Name input field (full_name) does not fully sanitise user input for special characters such as < or > and HTML attributes such as <a href>. It is possible for an attacker to bypass filtering and create malicious scripts. Once the response has been rendered, the malicious JavaScript code would be executed.

# 3. Proof of Concept

The Name input field (full_name) of the chat window can be injected with the following XSS payload as a Proof of Concept to execute a javascript alert popup.

Payload - <a href="javascript:alert(document.domain)">click</a>

# 4. Remediation

Apply the latest fix/patch from eGain Corporation.

# 5. Credits

- Brandon Ming Yang Ho (
- Hassy Vinod Eshan (

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum