CVE-2008-3700

Kayako SupportSuite < 3.20.02 - Cross-Site Scripting via SessionID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-3700. PoCs published by GulfTech Security.

AI-analyzed exploit summary This exploit demonstrates an XSS vulnerability in Kayako SupportSuite by injecting a malicious script via the 'filter' parameter in the URL. The script executes arbitrary JavaScript, potentially stealing cookies or manipulating the page.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Kayako SupportSuite 3.20.02 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the sessionid parameter in a livesupport startclientchat action to visitor/index.php; (2) the filter parameter in a news view action to index.php; or the Full Name field in a (3) account creation, (4) ticket opening, or (5) chat request operation.

Exploits (2)

exploitdb WORKING POC VERIFIED
by GulfTech Security · textwebappsphp
https://www.exploit-db.com/exploits/32220

This exploit demonstrates an XSS vulnerability in Kayako SupportSuite by injecting a malicious script via the 'filter' parameter in the URL. The script executes arbitrary JavaScript, potentially stealing cookies or manipulating the page.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Kayako SupportSuite versions prior to 3.30
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by GulfTech Security · textwebappsphp
https://www.exploit-db.com/exploits/32219

The provided text describes multiple input-validation vulnerabilities in Kayako SupportSuite, including SQL injection, XSS, and HTML injection. It includes a sample XSS payload but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Kayako SupportSuite prior to 3.30
No auth needed
Prerequisites: Access to the vulnerable web application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44382
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/47615
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/47614
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44383
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/47613
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/31431
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/30642

Scores

EPSS 0.0410
EPSS Percentile 89.4%

Details

CWE
CWE-79
Status published
Products (5)
kayako/supportsuite 3.10.00
kayako/supportsuite 3.10.02
kayako/supportsuite 3.11.00
kayako/supportsuite 3.11.01
kayako/supportsuite < 3.20.02
Published Aug 15, 2008
Tracked Since Feb 18, 2026