We have discovered a critical security vulnerability in Kayako software. In accordance with our security vulnerability, fix, and patch policy, this security advisory discloses what the vulnerability is, what it affects, and how it can be fixed.
- This vulnerability affects all versions of Kayako Fusion, Case, and Engage up to and including Kayako 4.70.1.
- Kayako OnDemand customers have already been updated and do not need to take any further action.
- Kayako Download customers need to update their Kayako helpdesk to the latest version or apply a patch below.
If you have any questions about this advisory or require assistance with the update, please do not hesitate to contact our support team.
Security advisory details
An attacker could use this vulnerability to remotely execute PHP code on the server on which Kayako is installed. To exploit this vulnerability, an attacker would need HTTP access to any of the web-facing parts of Kayako. We have verified that the potential for exploitation exists. There is no known exploit in the wild.
According to our severity scale, we have rated this vulnerability as critical (a CVSS2 base score of 8.0 or higher).
This vulnerability was responsibly disclosed to us by a Kayako customer. We confirmed this vulnerability on the 9th June 2015 and released a fix and security advisory on the 10th June 2015.
We are committed to responsible disclosure. Read more about the security vulnerability, fix, and patch policy.
Update to Kayako 4.70.2
We have released Kayako 4.70.2 to fix this vulnerability. Although we always recommend a full update, patches are available (detailed below) if you are not in a position to perform a full update. For more information on updating your helpdesk, see Upgrading your helpdesk.
Refer to Kayako 4.70.2 Release Notes.
NOTE: A patch is a stop-gap measure only. If you patch your helpdesk, plan a full update to the latest release as soon as possible. Take a backup of the files you patch.
If you are not in a position to update immediately, we have prepared patches for the previous six releases to fix the critical security issue. Always a full update is recommended to the latest release.
Download the package which corresponds to your current Kayako version, unpack the package and then replace the corresponding files on your helpdesk with the new, patched versions.
You can find your current Kayako version in the admin control panel dashboard.
Kayako 4.65 and later
|Kayako Fusion, Case and Engage 4.70 and 4.70.1||SWIFT-4729-4.70.1.zip|
|Kayako Fusion, Case and Engage 4.69 (all 4.69.* versions)||SWIFT-4729-4.69.0.zip|
|Kayako Fusion, Case and Engage 4.68 (all 4.68.* versions)||SWIFT-4729-4.68.0.zip|
|Kayako Fusion, Case and Engage 4.67 (all 4.67.* versions)||SWIFT-4729-4.67.0.zip|
|Kayako Fusion, Case and Engage 4.66 (all 4.66.* versions)||SWIFT-4729-4.66.2.zip|
|Kayako Fusion, Case and Engage 4.65 (all 4.65.* versions)||SWIFT-4729-4.65.2.zip
For all Kayako plans, the files to replace are:
Earlier versions of Kayako
We have provided patches for the six previous releases, covering more than a year of release history. If you are using a Kayako version earlier than this, a full update is required.
There are no mitigation steps available, other than updating to the latest available version or applying the patches provided.