Overview
This article shares information about a high-security vulnerability in Kayako Classic software release 4.73.3 and earlier, which was fixed in the Kayako Classic 4.74 Release.
Information
A high-security vulnerability was discovered in Kayako Classic software. In accordance with our security vulnerability, fix and patch policy, this security advisory discloses what the vulnerability is, what it affects, and how it can be fixed.
- This vulnerability affects all versions of Kayako Fusion, Case and Engage up to and including Kayako 4.73.3
- Kayako Download customers need to update their Kayako helpdesk to the latest version or apply a patch below.
Vulnerability
- An attacker could use this vulnerability to hijack the other user's session on the server on which Kayako is installed.
- To exploit this vulnerability, an attacker would need HTTP access to any of the web-facing parts of Kayako. We have verified that the potential for exploitation exists. There is no known exploit in the wild.
Severity
- According to our severity scale, we have rated this vulnerability as high (a CVSS2 base score of 6.0 - 7.9).
Credit
- This vulnerability was responsibly disclosed to us by a Kayako customer. We confirmed this vulnerability on the 14th of June 2015 and released a fix and security advisory on the 15th June 2015.
- We are committed to responsible disclosure. Read more about our security vulnerability, fix and patch policy.
Fix
- We have released Kayako 4.74.0 to fix this vulnerability. Although we always recommend a full update, patches are available (detailed below) if you are not in a position to perform a full update.
- For more information on updating your helpdesk, see Upgrading your helpdesk.
Patch
-
NOTE: A patch is a stop-gap measure only.
- If you patch your helpdesk, and plan a full update to the latest release as soon as possible. Take a backup of the files you patch.
- If you patch your helpdesk, and plan a full update to the latest release as soon as possible. Take a backup of the files you patch.
- If you are not in a position to update immediately, we have prepared patches for the previous two releases to fix the critical security issue. We always recommend a full update to the latest release.
- Follow these steps to run the patch:
- Download the package which corresponds to your current Kayako version. You can find your current Kayako version in the admin control panel dashboard.
Version Patch file Kayako Fusion, Case and Engage 4.72.2 SWIFT-4979-4.72.2.zip Kayako Fusion, Case and Engage 4.73.3 SWIFT-4979-4.73.3.zip
- Unpack the package.
- Replace the corresponding files on your helpdesk with the new, patched versions. For all Kayako plans, the files to replace are:
- __swift/includes/functions.php
__swift/apps/base/config/class.SWIFT_SetupDatabase_base.php
__swift/models/Session/class.SWIFT_Session.php
- Download the package which corresponds to your current Kayako version. You can find your current Kayako version in the admin control panel dashboard.
- We have provided patches for the two previous releases. If you are using a Kayako version earlier than this, a full update is required.
Risk Mitigation
There are no mitigation steps available, other than updating to the latest available version or applying the patches provided.