Kayako SupportSuite Ticket Subject XSS

medium Nessus Plugin ID 40872

Synopsis

The remote web server contains a PHP application that is affected by a persistent cross-site scripting vulnerability.

Description

According to its banner, the version of Kayako SupportSuite installed on the remote host is earlier than 3.60.04. Such versions are affected by a persistent cross-site scripting vulnerability. Specifically, the installed version fails to sanitize input passed to the subject field while creating a new support ticket. An attacker may be able to exploit this vulnerability by creating a new support ticket with a specially crafted subject field, and inject arbitrary HTML or script code into a user's browser which would get executed every time the support ticket is viewed.

Solution

Upgrade to Kayako SupportSuite 3.60.04 or later.

See Also

https://seclists.org/bugtraq/2009/Aug/65

http://www.nessus.org/u?46f82a83

Plugin Details

Severity: Medium

ID: 40872

File Name: kayako_supportsuite_3_60_04.nasl

Version: 1.14

Type: remote

Family: CGI abuses

Published: 9/4/2009

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:kayako:supportsuite

Required KB Items: www/PHP, www/kayako_supportsuite

Excluded KB Items: Settings/disable_cgi_scanning

Patch Publication Date: 8/4/2009

Vulnerability Publication Date: 8/8/2009

Reference Information

CVE: CVE-2009-3427

CWE: 79

SECUNIA: 36253