Kayako ESupport Cross-Site Scripting Vulnerability

vendor:

ESupport

by:

SecurityFocus

7.5

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: ESupport

Affected Version From: 2.3

Affected Version To: 2.3

Patch Exists: YES

Related CWE: N/A

CPE: a:kayako:esupport

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

Kayako ESupport Cross-Site Scripting Vulnerability

Kayako ESupport is prone to a cross-site scripting vulnerability. Multiple parameters of the 'index.php' script can be exploited to pass malicious HTML and script code to the application. This would occur in the security context of the affected Web site and may allow for theft of cookie-based authentication credentials or other attacks.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/12868/info

Kayako ESupport is prone to a cross-site scripting vulnerability.

Multiple parameters of the 'index.php' script can be exploited to pass malicious HTML and script code to the application.

This would occur in the security context of the affected Web site and may allow for theft of cookie-based authentication credentials or other attacks.

ESupport 2.3 is reported vulnerable, however, it is possible that other versions are affected as well. 

http://www.example.com/index.php?_a=knowledgebase&_j=questiondetails&_i=[INT][XSS]

http://www.example.com/index.php?_a=knowledgebase&_j=questionprint&_i=[INT][XSS]

http://www.example.com/index.php?_a=troubleshooter&_c=[INT][XSS]

http://www.example.com/index.php?_a=knowledgebase&_j=subcat&_i=[INT][XSS]

where [INT] is a valid integer value.