Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

kayakoXSS.txt

🗓️ 25 Feb 2005 00:00:00Reported by Seth Alan WoolleyType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

XSS vulnerability found in Kayako eSupport, poses risks through subheading injections.

Code
`  
--BQPnanjtCNWHyqYD  
Content-Type: text/plain; charset=us-ascii  
Content-Disposition: inline  
Content-Transfer-Encoding: quoted-printable  
  
http://www.google.com/search?q=3D%22Powered+By+kayako+eSupport%22+%22search=  
+the+entire+knowledgebase%22  
  
1290 customers according to Google.  
  
http://support.kayako.com/index.php?_a=3Dknowledgebase&_j=3Dquestiondetails=  
&_i=3D2&nav=3D[XSS]&nav2=3DGeneral%20eSupport%20Q&A  
  
Vendor notified by their access log files (and this email to their sales st=  
aff):  
  
http://support.kayako.com/index.php?_a=3Dknowledgebase&_j=3Dquestiondetails=  
&_i=3D2&nav=3D%3Cscript%3Ealert('msg')%3C/script%3E  
  
Keeping this short and sweet since XSS vulns aren't that big of a deal=20  
to find, even still. Clients login with cookies with a "remember me"=20  
check box. I thought it was at least significant because of what "nav"=20  
is for. The "nav" value is inserted as a subheading of the main page=20  
node, and one website I saw this at inserted html code with a link in=20  
the nav argument. Nice. One of those "double take" moments. This XSS=20  
was used as a "feature", leveraged by a customer: a hosting company. I=20  
was in awe. They should simply know better. So should Kayako.  
  
Now, let's see how fast Kayako can release a security bulletin to their=20  
customers. Isn't a security audit a part of every release?  
  
No fix yet, since the code is proprietary. I always release fixes for=20  
free software / open source code. I can't do that with proprietary=20  
code, though.  
  
Cheers,  
  
Seth  
  
P.S. Vendors have burned me and their users in the past for not fessing=20  
up or giving credit where due; I agree with Linus Torvalds, vendor-sec=20  
and ideas like it are a bad idea:  
  
"I happen to believe in openness, and vendor-sec does not. It's that=20  
simple." ( http://www.internetnews.com/dev-news/article.php/3458961 )  
  
--=20  
Seth Alan Woolley [seth at positivism.org], SPAM/UCE is unauthorized  
Key id EF10E21A =3D 36AD 8A92 8499 8439 E6A8 3724 D437 AF5D EF10 E21A  
  
--BQPnanjtCNWHyqYD  
Content-Type: application/pgp-signature  
Content-Disposition: inline  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.0 (GNU/Linux)  
  
iD8DBQFCEa+gej9tPAC6OvMRAnxtAJ0XhPcQD+DA/kSqdToUYwqg6PNVewCg+iNN  
EUe8h2jaJTurC/rYDDwXVoI=  
=Mi2p  
-----END PGP SIGNATURE-----  
  
--BQPnanjtCNWHyqYD--  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2005 00:00Current
7.4High risk
Vulners AI Score7.4
xss vulnerabilitykayako esupportsecurity auditcustomer awarenessproprietary code.
22