Description
SQL injection vulnerability in staff/index.php in Kayako SupportSuite 3.20.02 and earlier allows remote authenticated users to execute arbitrary SQL commands via the customfieldlinkid parameter in a delcflink action.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by GulfTech Security · textwebappsphp
https://www.exploit-db.com/exploits/32221
References (6)
Core 6
Core References
Various Sources x_refsource_misc
http://www.gulftech.org/?node=research&article_id=00123-08092008
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44384
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/47616
Various Sources x_refsource_misc
http://forums.kayako.com/f3/3-30-00-stable-released-18304/
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/31431
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/30642
Scores
EPSS
0.0041
EPSS Percentile
61.7%
Details
CWE
CWE-89
Status
published
Products (5)
kayako/supportsuite
3.10.00
kayako/supportsuite
3.10.02
kayako/supportsuite
3.11.00
kayako/supportsuite
3.11.01
kayako/supportsuite
< 3.20.02
Published
Aug 15, 2008
Tracked Since
Feb 18, 2026