Kayako ESupport Multiple Cross-Site Scripting and SQL Injection Vulnerabilities

Kayako ESupport Multiple Cross-Site Scripting and SQL Injection Vulnerabilities

The following example demonstrates cross-site scripting:

http://www.example.com/index.php?_a=knowledgebase&_j=search&searchm=[CODEGOESHERE]

The following examples demonstrate SQL injection:

http://www.example.com/index.php?_a=knowledgebase&_j=subcat&_i=[SQL]

http://www.example.com/index.php?_a=knowledgebase&_j=rate&_i=[SQL]&type=no

http://www.example.com/index.php?_a=knowledgebase&_j=questiondetails&_i=[SQL]

http://www.example.com/index.php?_a=tickets&_m=viewmain&email22=blah@blah&ticketkey22=[
SQL]

http://www.example.com/index.php?_a=tickets&_m=viewmain&email22=[SQL]&ticketkey22=