Kayako LiveResponse Unspecified Script Injection Privilege Escalation

2005-07-30T05:10:46
ID OSVDB:18397
Type osvdb
Reporter James Bercegay()
Modified 2005-07-30T05:10:46

Description

Vulnerability Description

Kayako LiveResponse contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue exists because the application does not sanitize the user's input when entering a session or sending a message to the support staff. A malicious user may input arbitrary code which will be executed in the context of the support staff browser. This flaw may lead to a loss of confidentiality, integrity and availability.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Kayako LiveResponse contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue exists because the application does not sanitize the user's input when entering a session or sending a message to the support staff. A malicious user may input arbitrary code which will be executed in the context of the support staff browser. This flaw may lead to a loss of confidentiality, integrity and availability.

References:

Vendor URL: http://www.kayako.com/ Secunia Advisory ID:16286 Related OSVDB ID: 18398 Related OSVDB ID: 18399 Related OSVDB ID: 18395 Related OSVDB ID: 18396 Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00092-07302005 Nessus Plugin ID:19335 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0516.html CVE-2005-2460 Bugtraq ID: 14425