Kayako Fusion Submit Ticket HTML Injection Vulnerability

Bugtraq ID:	52625
Class:	Input Validation Error
CVE:	CVE-2012-4872
Remote:	Yes
Local:	No
Published:	Mar 20 2012 12:00AM
Updated:	Mar 19 2015 07:35AM
Credit:	Sony
Vulnerable:	Kayako Kayako Fusion 4.40.959
Not Vulnerable:	Kayako Kayako Fusion 4.40.986

Kayako Fusion Submit Ticket HTML Injection Vulnerability

Kayako Fusion is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user.

Kayako Fusion versions prior to 4.40.986 are vulnerable.

Kayako Fusion Submit Ticket HTML Injection Vulnerability

An attacker can exploit this issue through a browser.

Kayako Fusion Submit Ticket HTML Injection Vulnerability

Solution:
Vendor patch is available. Please see the references for more information.

Kayako Fusion Submit Ticket HTML Injection Vulnerability

References:

• 4.40.986 (Kayako)
  
• Comodo.com and Agv.sg Cross Site Scripting (Sony)
  
• Kayako Fusion Homepage (Kayako )