CVE-2014-6420

MEDIUM

Livefyre LiveComments 3.0 - Stored Cross-Site Scripting via Uploaded Picture Name

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-6420. PoCs published by Brij Kishore Mishra.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in the Livefyre LiveComments Plugin v3.0. The exploit involves intercepting and modifying the 'name' variable during image upload to inject an XSS payload, which executes when the comment is posted.

Description

Cross-site scripting (XSS) vulnerability in Livefyre LiveComments 3.0 allows remote attackers to inject arbitrary web script or HTML via the name of an uploaded picture.

Exploits (1)

exploitdb WRITEUP
by Brij Kishore Mishra · textwebappsphp
https://www.exploit-db.com/exploits/34721

This is a writeup describing a stored XSS vulnerability in the Livefyre LiveComments Plugin v3.0. The exploit involves intercepting and modifying the 'name' variable during image upload to inject an XSS payload, which executes when the comment is posted.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Livefyre LiveComments Plugin v3.0
Auth required
Prerequisites: User account with Livefyre · Intercepting proxy (e.g., Burp Suite)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/96037

Scores

CVSS v3 6.1
EPSS 0.0176
EPSS Percentile 75.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
livefyre/livecomments 3.0
Published Dec 27, 2019
Tracked Since Feb 18, 2026