Kayako Fusion version 4.40.1148 and probably prior suffers from cross-site scripting (XSS) vulnerability (CVE-2012-3233).
This XSS vulnerability can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website: input appended to the URL after "/__swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/ docs/download.php" is not properly sanitised before being returned to the user.
Vulnerability ID: HTB23095
Vendor Notification / Public Disclosure Dates: June 6 / September 5, 2012
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk level: Medium [CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)]
Solution Status: Fixed by Vendor, upgrade to Kayako Fusion 4.50.1581
Kayako Fusion is the world's leading multi-channel helpdesk solution that enables organizations to deliver a better customer experience and work more effectively as a team, whatever their size.
See details and PoC-example for this advisory: Cross-Site Scripting (XSS) in Kayako Fusion.
No comments:
Post a Comment