Kayako SupportSuite < 3.30.01 Multiple Vulnerabilities

medium Nessus Plugin ID 34029


The remote web server contains a PHP application affected by several vulnerabilities.


The remote host is running Kayako SupportSuite, a web-based electronic support portal written in PHP.

According to its banner, the version of Kayako installed on the remote host is earlier than 3.30.01 and is, therefore, affected by several issues:

- There is a blind SQL injection issue in the staff panel that enables a staff user to gain administrative access.

- A user may be able to inject arbitrary script code into a user's browser by opening a ticket or requesting a chat if they include the script in the 'Full Name' field associated with their account.

- There are numerous cross-site scripting issues.


Upgrade to Kayako SupportSuite 3.30.01 or later.

See Also




Plugin Details

Severity: Medium

ID: 34029

File Name: kayako_supportsuite_3_30_01.nasl

Version: 1.21

Type: remote

Family: CGI abuses

Published: 8/22/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Risk Information


Risk Factor: Medium

Score: 6.3


Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: E:POC/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:kayako:supportsuite

Required KB Items: www/kayako_supportsuite, www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2008-3700, CVE-2008-3701

BID: 30642

CWE: 79, 89