AOH :: HP Unsorted T :: BT-21450.HTM

Ticket Subject Persistent XSS in Kayako SupportSuite



- Ticket Subject Persistent XSS in Kayako SupportSuite
- Ticket Subject Persistent XSS in Kayako SupportSuite



nGenuity Information Services =E2=80=93 Security Advisory

   Advisory ID: NGENUITY-2009-008 - Ticket Subject Persistent XSS in
Kayako SupportSuite
   Application: SupportSuite v3.50.06
        Vendor: Kayako
Vendor website: http://www.kayako.com 
Author: Adam Baldwin (adam_baldwin@ngenuity-is.com) 

         Class: Persistent Cross-Site Scripting

  I. BACKGROUND
     "SupportSuite is [Kayako's] flagship product, integrating the
ticket and
      e-mail management features of eSupport with the live chat and visitor
      monitoring features of LiveResponse." [1]

 II. DETAILS
     The subject field of a newly created support ticket is not properly
encoded before
     being sent to the browser when the ticket details are viewed. More
information
     on cross-site scripting please refer to the Common Weakness
Enumeration specification
     available cwe.mitre.org [2].

     An example attack might look similar to the following.

     

III. REFERENCES
[1] - http://www.kayako.com 
[2] - http://cwe.mitre.org/data/definitions/79.html 

 IV. VENDOR COMMUNICATION
     7.17.2009 - Vulnerability Discovery
     7.20.2009 - Initial Vendor Response
     7.21.2009 - Patch created, Will be pushed to next stable release
     8.08.2009 - Advisory released

http://www.ngenuity.org/wordpress/2009/08/08/ngenuity-ticket-subject-persistent-xss-in-kayako-supportsuite/ 


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.