Here is a quick video demonstrating a fun cross-site scripting I found in Kayako SupportSuite. It shows an interesting side of XSS that scanners rarely find. User input is put in via the public interface, but the XSS happens on the admin side. It demonstrates the need for not only improved scanning tools but for human intervention and testing. Enjoy.
Original nGenuity advisory is located here.
This vulnerability is fixed in versions greater than v3.50.06. The Kayako team handles security issues very seriously and quickly just like all companies should.
evilpacket is an awesome public service of nGenuity Information Security. Note: not actually evil.
Site by &yet Web Design