Multiple vulnerabilities in Kayako Fusion version 4.51.1891 could allow an unauthenticated, remote attacker to perform an HTML injection attack on a targeted system.
The vulnerabilities are due to insufficient sanitization of user-supplied input by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by convincing a targeted user to open a crafted web page. Processing the web page could allow the attacker to inject HTML code and execute arbitrary script code to gain access to authentication cookies on the targeted system.
Users should verify that unsolicited links are safe to follow.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
The vendor has not confirmed these vulnerabilities and updated software is not available.