Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Kayako SupportSuite Multiple Persistent Cross Site Scripting (Current Versions)

From: pen-test () comodo com
Date: 21 Jan 2010 22:17:16 -0000
##########################################################
# Comodo Group
#
# Vendor : Kayako Infotech Ltd.
# URL : http://www.kayako.com/
# Version : Kayako SupportSuite <= 3.60.04
##########################################################

We've discovered multiple persistent cross site scripting vulnerabilities in the latest version of Kayako SupportSuite 
(3.60.04).  Because of improper input validation an attacker (authenticated staff member) can inject javascript code 
into the body or even subject of a knowledge base article which will execute in to context of the victim's browser when 
they view the pages in question.  THis makes it possible to steal cookies, hijack sessions and more.  The severity of 
this is augmented by the fact that the subjects of newly published articles appear on the home page of the portal 
making it easy to compromise a large number of users.

The vendor has been notified, but until they issue a patch administrators can modify the relevant php themselves to do 
better input validation.

BKz
LPIC, Sec+, OSCP
http://www.comodo.com/
Previous By Date Next
Previous By Thread Next

Current thread: