Lucene search
High-Tech BridgeHTB23095HistoryJun 06, 2012 - 12:00 a.m.
Cross-Site Scripting (XSS) in Kayako Fusion
2012-06-0600:00:00
High-Tech Bridge
www.htbridge.com
39
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.039 Low
EPSS
Percentile
91.9%
High-Tech Bridge SA Security Research Lab has discovered vulnerability in Kayako Fusion, which can be exploited to perform Cross-Site Scripting (XSS) attacks.
- Cross-Site Scripting (XSS) in Kayako Fusion: CVE-2012-3233
Input appended to the URL after /__swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of an affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
http://[host]/__swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download .php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of this vulnerability requires that Apache’s directive “AcceptPathInfo” is set to “on” or “default” (default value is “default”).
| CPE | Name | Operator | Version |
|---|---|---|---|
| kayako fusion | le | 4.40.1148 |
Related
prion
prion
Cross site scripting
2012-09-15 17:55:00
nvd
nvd
CVE-2012-3233
2012-09-15 17:55:05
securityvulns
securityvulns
Cross-Site Scripting (XSS) in Kayako Fusion
2012-09-07 00:00:00
cvelist
cvelist
CVE-2012-3233
2012-09-15 17:00:00
cve
cve
CVE-2012-3233
2012-09-15 17:55:05
packetstorm
packetstorm
Kayako Fusion 4.40.1148 Cross Site Scripting
2012-09-06 00:00:00
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.039 Low
EPSS
Percentile
91.9%
Related for HTB23095