CVE-2008-3700

Name of the Vulnerable Software and Affected Versions Kayako SupportSuite versions 3.20.02 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various means, including the sessionid parameter in a "livesupport startclientchat" action to "visitor/index.php", the filter parameter in a "news view" action to "index.php", or the Full Name field in account creation, ticket opening, or chat request operations.

Recommendations For Kayako SupportSuite versions 3.20.02 and earlier, update to a version later than 3.20.02 to resolve the issue. As a temporary workaround, consider restricting access to the sessionid parameter in "livesupport startclientchat" actions, the filter parameter in "news view" actions, and limiting user input in the Full Name field for account creation, ticket opening, and chat requests.