CVSS: 3.5EPSS: 0%CPEs: 12EXPL: 1CVE-2010-0460
https://notcve.org/view.php?id=CVE-2010-0460
Multiple cross-site scripting (XSS) vulnerabilities in staff/index.php in Kayako SupportSuite 3.60.04 and earlier allow remote authenticated users to inject arbitrary web script or HTML via the (1) subject parameter and (2) contents parameter (aka body) in an insertquestion action. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en staff/index.php en Kayako SupportSuite v3.60.04 y anteriores permite a usuarios remotos autenticados inyectar secuencias arbitrarias de comandos web o HTML a través de los parámetros (1) "subject" y (2) "contents" (también conocido como "body") en una acción insertquestion. NOTA: La procedencia de esta información es desconocida, los detalles fueron obtenidos de información de terceros. • http://osvdb.org/61928 http://packetstormsecurity.org/1001-advisories/kayako-xss.txt http://secunia.com/advisories/38322 http://www.securityfocus.com/archive/1/509122/100/0/threaded http://www.securityfocus.com/bid/37947 https://exchange.xforce.ibmcloud.com/vulnerabilities/55859 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 21EXPL: 0CVE-2009-3567
https://notcve.org/view.php?id=CVE-2009-3567
Cross-site scripting (XSS) vulnerability in modules/tickets/functions_ticketsui.php in Kayako SupportSuite and eSupport 3.60.04 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the staff control panel, a different vector than CVE-2007-1145. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en modules/tickets/functions_ticketsui.php en Kayako SupportSuite y eSupport v3.60.04 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a través de vectores sin especificar en el panel de control de plantilla, un vector diferente de CVE-2007-1145. • http://blog.kayako.com/2009/09/security-bulletin-supportsuite-and-esupport http://osvdb.org/58516 http://secunia.com/advisories/36807 http://www.securityfocus.com/bid/36568 https://exchange.xforce.ibmcloud.com/vulnerabilities/53558 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 2CVE-2008-3700 – Kayako SupportSuite 3.x - 'index.php?filter' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-3700
Multiple cross-site scripting (XSS) vulnerabilities in Kayako SupportSuite 3.20.02 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the sessionid parameter in a livesupport startclientchat action to visitor/index.php; (2) the filter parameter in a news view action to index.php; or the Full Name field in a (3) account creation, (4) ticket opening, or (5) chat request operation. Multiples vulnerabilidades de Secuencias de comandos en sitios cruzados (XSS) en versiones de Kayako SupportSuite 3.20.02 y anteriores, permiten a atacantes remotos inyectar scripts web o HTML arbitrarios a través de (1) el parámetro sessionid en una acción livesupport startclientchat en visitor/index.php, (2) el parámetro filter en una accion de ver noticia en index.php, o el campo nombre completo en (3) la creación de la cuenta, (4) la apertura de tickets, o (5) una operación de petición de chat. • https://www.exploit-db.com/exploits/32220 https://www.exploit-db.com/exploits/32219 http://forums.kayako.com/f3/3-30-00-stable-released-18304 http://osvdb.org/47613 http://osvdb.org/47614 http://osvdb.org/47615 http://secunia.com/advisories/31431 http://www.gulftech.org/?node=research&article_id=00123-08092008 http://www.securityfocus.com/bid/30642 https://exchange.xforce.ibmcloud.com/vulnerabilities/44382 https://exchange.xforce.ibmcloud.com/vulnerabilities/44383 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 1CVE-2008-3701 – Kayako SupportSuite 3.x - '/staff/index.php?customfieldlinkid' SQL Injection
https://notcve.org/view.php?id=CVE-2008-3701
SQL injection vulnerability in staff/index.php in Kayako SupportSuite 3.20.02 and earlier allows remote authenticated users to execute arbitrary SQL commands via the customfieldlinkid parameter in a delcflink action. Una vulnerabilidad de inyección SQL en staff/index.php en versiones de Kayako SupportSuite 3.20.02 y anteriores permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro customfieldlinkid en una acción delcflink. • https://www.exploit-db.com/exploits/32221 http://forums.kayako.com/f3/3-30-00-stable-released-18304 http://osvdb.org/47616 http://secunia.com/advisories/31431 http://www.gulftech.org/?node=research&article_id=00123-08092008 http://www.securityfocus.com/bid/30642 https://exchange.xforce.ibmcloud.com/vulnerabilities/44384 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2006-5825 – Kayako SupportSuite 3.0.32 - 'index.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-5825
Cross-site scripting (XSS) vulnerability in index.php in Kayako SupportSuite 3.00.32 allows remote attackers to inject arbitrary web script or HTML via the query string. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en index.php de Kayako SupportSuite 3.00.32 permite a atacantes remotos inyectar scripts web o HTML de su elección mediante la cadena de consulta. • https://www.exploit-db.com/exploits/28939 http://builds.kayako.net http://securityreason.com/securityalert/1838 http://www.securityfocus.com/archive/1/450829/100/0/threaded http://www.securityfocus.com/bid/20954 https://exchange.xforce.ibmcloud.com/vulnerabilities/30095 •