CVE-2008-3701

Kayako SupportSuite <3.20.02 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3701. PoCs published by GulfTech Security.

AI-analyzed exploit summary This exploit demonstrates an SQL injection vulnerability in Kayako SupportSuite. It uses a UNION-based SQLi to extract the first character of the admin password via a time-based blind technique (BENCHMARK).

Description

SQL injection vulnerability in staff/index.php in Kayako SupportSuite 3.20.02 and earlier allows remote authenticated users to execute arbitrary SQL commands via the customfieldlinkid parameter in a delcflink action.

Exploits (1)

exploitdb WORKING POC VERIFIED
by GulfTech Security · textwebappsphp
https://www.exploit-db.com/exploits/32221

This exploit demonstrates an SQL injection vulnerability in Kayako SupportSuite. It uses a UNION-based SQLi to extract the first character of the admin password via a time-based blind technique (BENCHMARK).

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Kayako SupportSuite < 3.30
No auth needed
Prerequisites: Access to the vulnerable endpoint · Knowledge of the database structure
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44384
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/47616
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/31431
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/30642

Scores

EPSS 0.0192
EPSS Percentile 77.3%

Details

CWE
CWE-89
Status published
Products (5)
kayako/supportsuite 3.10.00
kayako/supportsuite 3.10.02
kayako/supportsuite 3.11.00
kayako/supportsuite 3.11.01
kayako/supportsuite < 3.20.02
Published Aug 15, 2008
Tracked Since Feb 18, 2026