Description
Multiple cross-site scripting (XSS) vulnerabilities in Kayako SupportSuite 3.20.02 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the sessionid parameter in a livesupport startclientchat action to visitor/index.php; (2) the filter parameter in a news view action to index.php; or the Full Name field in a (3) account creation, (4) ticket opening, or (5) chat request operation.
Exploits (2)
exploitdb
WORKING POC
VERIFIED
by GulfTech Security · textwebappsphp
https://www.exploit-db.com/exploits/32220
exploitdb
WRITEUP
VERIFIED
by GulfTech Security · textwebappsphp
https://www.exploit-db.com/exploits/32219
References (9)
Core 9
Core References
Various Sources x_refsource_misc
http://www.gulftech.org/?node=research&article_id=00123-08092008
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44382
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/47615
Various Sources x_refsource_misc
http://forums.kayako.com/f3/3-30-00-stable-released-18304/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/47614
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44383
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/47613
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/31431
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/30642
Scores
EPSS
0.0326
EPSS Percentile
87.2%
Details
CWE
CWE-79
Status
published
Products (5)
kayako/supportsuite
3.10.00
kayako/supportsuite
3.10.02
kayako/supportsuite
3.11.00
kayako/supportsuite
3.11.01
kayako/supportsuite
< 3.20.02
Published
Aug 15, 2008
Tracked Since
Feb 18, 2026