Title: Kayako SupportSuite and eSupport 'functions_ticketsui.php' Cross Site Scripting Vulnerability
Severity: MODERATE
Description:
Kayako SupportSuite and eSupport are web-based support applications implemented in PHP.
The applications are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied input to unspecified scripts and parameters related to the staff control panel. This issue is caused by an error in the 'modules/tickets/functions_ticketsui.php' script file.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Kayako SupportSuite and eSupport 3.60.04 and prior are vulnerable.
Affected Products:
- Kayako SupportSuite 3.0.0 0.26
- Kayako SupportSuite 3.00.13
- Kayako SupportSuite 3.00.32
- Kayako SupportSuite 3.04.10
- Kayako SupportSuite 3.30.00 Release Candidate 2
- Kayako SupportSuite 3.30.00 Release Candidate 3
- Kayako SupportSuite 3.30.02
- Kayako SupportSuite 3.60.04
- Kayako eSupport
- Kayako eSupport 2.1.2
- Kayako eSupport 2.1.8
- Kayako eSupport 2.2.0
- Kayako eSupport 2.2.5
- Kayako eSupport 2.3.0
- Kayako eSupport 2.3.1
- Kayako eSupport 2.3.5
- Kayako eSupport 3.00.90
- Kayako eSupport 3.20.02
- Kayako eSupport 3.60.04
References:
- Kayako: Kayako Homepage
- Kayako: Security bulletin – SupportSuite and eSupport
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
