8 results (0.002 seconds)

CVSS: 3.5EPSS: 0%CPEs: 12EXPL: 1

Multiple cross-site scripting (XSS) vulnerabilities in staff/index.php in Kayako SupportSuite 3.60.04 and earlier allow remote authenticated users to inject arbitrary web script or HTML via the (1) subject parameter and (2) contents parameter (aka body) in an insertquestion action. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en staff/index.php en Kayako SupportSuite v3.60.04 y anteriores permite a usuarios remotos autenticados inyectar secuencias arbitrarias de comandos web o HTML a través de los parámetros (1) "subject" y (2) "contents" (también conocido como "body") en una acción insertquestion. NOTA: La procedencia de esta información es desconocida, los detalles fueron obtenidos de información de terceros. • http://osvdb.org/61928 http://packetstormsecurity.org/1001-advisories/kayako-xss.txt http://secunia.com/advisories/38322 http://www.securityfocus.com/archive/1/509122/100/0/threaded http://www.securityfocus.com/bid/37947 https://exchange.xforce.ibmcloud.com/vulnerabilities/55859 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 21EXPL: 0

Cross-site scripting (XSS) vulnerability in modules/tickets/functions_ticketsui.php in Kayako SupportSuite and eSupport 3.60.04 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the staff control panel, a different vector than CVE-2007-1145. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en modules/tickets/functions_ticketsui.php en Kayako SupportSuite y eSupport v3.60.04 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a través de vectores sin especificar en el panel de control de plantilla, un vector diferente de CVE-2007-1145. • http://blog.kayako.com/2009/09/security-bulletin-supportsuite-and-esupport http://osvdb.org/58516 http://secunia.com/advisories/36807 http://www.securityfocus.com/bid/36568 https://exchange.xforce.ibmcloud.com/vulnerabilities/53558 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 2

Multiple cross-site scripting (XSS) vulnerabilities in Kayako SupportSuite 3.20.02 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the sessionid parameter in a livesupport startclientchat action to visitor/index.php; (2) the filter parameter in a news view action to index.php; or the Full Name field in a (3) account creation, (4) ticket opening, or (5) chat request operation. Multiples vulnerabilidades de Secuencias de comandos en sitios cruzados (XSS) en versiones de Kayako SupportSuite 3.20.02 y anteriores, permiten a atacantes remotos inyectar scripts web o HTML arbitrarios a través de (1) el parámetro sessionid en una acción livesupport startclientchat en visitor/index.php, (2) el parámetro filter en una accion de ver noticia en index.php, o el campo nombre completo en (3) la creación de la cuenta, (4) la apertura de tickets, o (5) una operación de petición de chat. • https://www.exploit-db.com/exploits/32220 https://www.exploit-db.com/exploits/32219 http://forums.kayako.com/f3/3-30-00-stable-released-18304 http://osvdb.org/47613 http://osvdb.org/47614 http://osvdb.org/47615 http://secunia.com/advisories/31431 http://www.gulftech.org/?node=research&article_id=00123-08092008 http://www.securityfocus.com/bid/30642 https://exchange.xforce.ibmcloud.com/vulnerabilities/44382 https://exchange.xforce.ibmcloud.com/vulnerabilities/44383 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 1

SQL injection vulnerability in staff/index.php in Kayako SupportSuite 3.20.02 and earlier allows remote authenticated users to execute arbitrary SQL commands via the customfieldlinkid parameter in a delcflink action. Una vulnerabilidad de inyección SQL en staff/index.php en versiones de Kayako SupportSuite 3.20.02 y anteriores permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro customfieldlinkid en una acción delcflink. • https://www.exploit-db.com/exploits/32221 http://forums.kayako.com/f3/3-30-00-stable-released-18304 http://osvdb.org/47616 http://secunia.com/advisories/31431 http://www.gulftech.org/?node=research&article_id=00123-08092008 http://www.securityfocus.com/bid/30642 https://exchange.xforce.ibmcloud.com/vulnerabilities/44384 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

Kayako SupportSuite 3.11.01 allows remote attackers to obtain server configuration information via a direct request to syncml/index.php, which prints the contents of the $_SERVER superglobal. Kayako SupportSuite 3.11.01 permite a atacantes remotos obtener información de la configuración del servidor a través de una respuesta directa en syncml/index.php, el cual imprime el contenido de $_SERVER superglobal. • http://secunia.com/advisories/28613 http://securityreason.com/securityalert/3573 http://www.securityfocus.com/archive/1/486762/100/0/threaded http://www.waraxe.us/advisory-63.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •