PT-2011-43: Database information disclosure in Kayako Fusion Vulnerable softwareKayako Fusion Application link: http://www.kayako.com/products/fusion/Severity levelSeverity level: Medium Impact: Database information disclosure Access Vector: Network exploitable CVSS v2: Base Score: 6.5 Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)CVE: not assignedSoftware descriptionKayako Fusion is the world's leading multi-channel helpdesk solution that enables organizations to deliver a better customer experience and work more effectively as a team, whatever their size. Whether over email, support tickets, self-help, live chat or voice, your customers' support history is tracked in one place and can be accessed from anywhere.Vulnerability descriptionA vulnerability has been discovered in Kayako Fusion, which can be exploited by a malicious person with a 'staff' privileged user account. The vulnerability exists in the logic of report generation, which is based on Kayako Query Language (KQL). An authorized 'staff' user can generate a report containing usernames and hashed password of all system users. How to fixUpdate your software up to the latest version Update link 1 Update link 2Advisory status25.11.2011 - Vendor is notified 25.11.2011 - Vendor gets vulnerability details 25.11.2011 - Vendor releases fixed version and details 02.12.2011 - Public disclosureCreditsThe vulnerability was discovered by Yuri Goltsev, Alexander Zaitsev, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2011-43Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/advisory1.aspx http://en.securitylab.ru/lab/