Kayako SupportSuite Multiple Input Validation Vulnerabilities

Bugtraq ID:	30642
Class:	Input Validation Error
CVE:	CVE-2008-3700
Remote:	Yes
Local:	No
Published:	Aug 11 2008 12:00AM
Updated:	May 07 2015 05:25PM
Credit:	James Bercegay of the GulfTech Security Research Team
Vulnerable:	Kayako SupportSuite 3.30 Release Candidate 2 Kayako SupportSuite 3.4.10 Kayako SupportSuite 3.0.32 Kayako SupportSuite 3.0.13 Kayako SupportSuite 3.0 0.26
Not Vulnerable:	Kayako SupportSuite 3.30 Release Candidate 3

Kayako SupportSuite Multiple Input Validation Vulnerabilities

Kayako SupportSuite is prone to multiple input-validation vulnerabilities, including an SQL-injection issue, multiple cross-site scripting issues, and an HTML-injection issue. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to Kayako SupportSuite 3.30 are vulnerable.

Kayako SupportSuite Multiple Input Validation Vulnerabilities

An attacker can exploit these issues via a browser. To exploit a cross-site scripting issue, the attacker entices an unsuspecting victim to follow a malicious URI.

The following proof-of-concept URIs are available:

• /data/vulnerabilities/exploits/30642.html

Kayako SupportSuite Multiple Input Validation Vulnerabilities

Solution:
Vendor fixes are available. Please contact the vendor for details.

Kayako SupportSuite Multiple Input Validation Vulnerabilities

References:

• 3.30.00 Release Candidate 3 (Kayako)
  
• SupportSuite Homepage (Kayako)
  
• Kayako SupportSuite < 3.30.00 Multiple Vulnerabilities (GulfTech Security Research )