Copyright © 1995-2013 LinuxRocket.net. All rights reserved.
|New User, Welcome! Login
[NGENUITY] - Ticket Subject Persistent XSS in Kayako SupportSuite
||Adam Baldwin <adam_baldwin ngenuity-is com>
||full-disclosure lists grok org uk, bugtraq securityfocus com
||[NGENUITY] - Ticket Subject Persistent XSS in Kayako SupportSuite
||Sat - Aug 08, 2009 09:37 AM
nGenuity Information Services – Security Advisory
Advisory ID: NGENUITY-2009-008 - Ticket Subject Persistent XSS in
Application: SupportSuite v3.50.06
Vendor website: http://www.kayako.com
Author: Adam Baldwin (email@example.com)
Class: Persistent Cross-Site Scripting
"SupportSuite is [Kayako's] flagship product, integrating the
e-mail management features of eSupport with the live chat and visitor
monitoring features of LiveResponse." 
The subject field of a newly created support ticket is not properly
being sent to the browser when the ticket details are viewed. More
on cross-site scripting please refer to the Common Weakness
available cwe.mitre.org .
An example attack might look similar to the following.
 - http://www.kayako.com
 - http://cwe.mitre.org/data/definitions/79.html
IV. VENDOR COMMUNICATION
7.17.2009 - Vulnerability Discovery
7.20.2009 - Initial Vendor Response
7.21.2009 - Patch created, Will be pushed to next stable release
8.08.2009 - Advisory released
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!