Kayako eSupport Troubleshooter Module index.php Multiple Parameter XSS

medium Nessus Plugin ID 17598

Synopsis

The remote web server contains a PHP script that is affected by several cross-site scripting vulnerabilities.

Description

The version of Kayako eSupport installed on the remote host is subject to multiple cross-site scripting vulnerabilities in the script 'index.php' through the parameters '_i' and '_c'. These issues may allow an attacker to inject HTML and script code into a user's browser within the context of the remote site, enabling him to steal authentication cookies, access data recently submitted by the user, and the like.

Solution

Upgrade to eSupport 2.3.1 or later.

See Also

https://www.securityfocus.com/archive/1/393946

http://www.nessus.org/u?e8313f62

Plugin Details

Severity: Medium

ID: 17598

File Name: kayako_index_xss.nasl

Version: 1.20

Type: remote

Published: 3/22/2005

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:kayako:esupport

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 12/25/2004

Vulnerability Publication Date: 3/22/2005

Reference Information

CVE: CVE-2005-0842

BID: 12868

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990