Start a conversation

June 2016 Security Advisory: Kayako Classic 4.73.3 and earlier

We have discovered a high security vulnerability in Kayako Classic software. In accordance with our security vulnerability, fix and patch policy, this security advisory discloses what the vulnerability is, what it affects, and how it can be fixed.

  • This vulnerability affects all versions of Kayako Fusion, Case and Engage up to and including Kayako 4.73.3
  • Kayako OnDemand customers will be updated and do not need to take any further action.
  • Kayako Download customers need to update their Kayako helpdesk to the latest version or apply a patch below.

Security advisory details

Vulnerability

An attacker could use this vulnerability to hijack the other user's session on the server on which Kayako is installed. To exploit this vulnerability, an attacker would need HTTP access to any of the web-facing parts of Kayako. We have verified that the potential for exploitation exists. There is no known exploit in the wild.

Severity

According to our severity scale, we have rated this vulnerability as high (a CVSS2 base score of 6.0 - 7.9).

Credit

This vulnerability was responsibly disclosed to us by a Kayako customer. We confirmed this vulnerability on the 14th June 2015 and released a fix and security advisory on the 15th June 2015

We are committed to responsible disclosure. Read more about our security vulnerability, fix and patch policy.

Fix

Update to Kayako 4.74.0

We have released Kayako 4.74.0 to fix this vulnerability. Although we always recommend a full update, patches are available (detailed below) if you are not in a position to perform a full update. For more information on updating your helpdesk, see Upgrading your helpdesk.

The release notes Kayako 4.74.0 are available here.

Patch

NOTE: A patch is a stop-gap measure only. If you patch your helpdesk, plan a full update to the latest release as soon as possible. Take a backup of the files you patch.

If you are not in a position to update immediately, we have prepared patches for the previous 2 releases to fix the critical security issue. We always recommend a full update to the latest release.

Download the package which corresponds to your current Kayako version, unpack the package and then replace the corresponding files on your helpdesk with the new, patched versions.

You can find your current Kayako version in the admin control panel dashboard.

Kayako 4.73 and 4.72

Version
Patch file
Kayako Fusion, Case and Engage 4.72.2
SWIFT-4979-4.72.2.zip
Kayako Fusion, Case and Engage 4.73.3
SWIFT-4979-4.73.3.zip


For all Kayako plans, the files to replace are: 

__swift/includes/functions.php
__swift/apps/base/config/class.SWIFT_SetupDatabase_base.php
__swift/models/Session/class.SWIFT_Session.php

Earlier versions of Kayako

We have provided patches for the 2 previous releases. If you are using a Kayako version earlier than this, a full update is required.

Risk mitigation

There are no mitigation steps available, other than updating to the latest available version or applying the patches provided.

SWIFT-4979-4.73.3.zip

  1. 49 KB
  2. View
  3. Download

SWIFT-4979-4.72.2.zip

  1. 60 KB
  2. View
  3. Download
Download all
Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Kelly O'Brien

  2. Posted
  3. Updated