XSS vulnerability in Kayako app left AVG.sg, comodo.com and other sites vulnerable

GreyHat Hacker "Sony" , from insecurity.ro ,come with some interesting vulnerability. He has discovered XSS vulnerability in a famous Help desk and customer support software Kayako.

In fact, the vulnerability in kayako has been discovered already by other security researcher .  But sony found that the vulnerability in Kayako Fusion left some high profile sites including AVG Singapore, Comodo websites vulnerable .

He found XSS in Ticket submission.Unfortunately, the XSS is persistent one. When he put his xss code in the all fields and submitted the ticket, the injected xss code is successfully injected in database. Opening the submitted tickets will execute the injected javascript code.

The comodo website uses SupportSuite v3.70.02 and AVG singapore uses fusion app. Both application are found to be vulnerable to this attack.