Kayako Fusion v4.51.1891 - multiple web vulnerabilities - Vulnerability Database

Kayako Fusion v4.51.1891 - multiple web vulnerabilities

Description

Kayako Fusion version 4.51.1891 contains multiple persistent cross-site scripting (XSS) vulnerabilities that allow authenticated attackers to inject malicious JavaScript code into the application. These stored XSS vulnerabilities persist in the application's database and execute whenever other users view the affected content. Exploitation requires a privileged user account and varying levels of user interaction depending on the specific vulnerable module.

Remediation

1. Immediate Action: Upgrade Kayako Fusion to the latest patched version that addresses these XSS vulnerabilities. Consult Kayako's security advisories for the specific fixed version.

2. Temporary Mitigation: If immediate patching is not possible, restrict access to privileged accounts and implement the following controls:
• Review and sanitize existing user-generated content for malicious scripts
• Implement Web Application Firewall (WAF) rules to filter XSS patterns
• Enable Content Security Policy (CSP) headers to limit script execution

3. Verification: After upgrading, ensure all input fields properly encode output using context-appropriate escaping (HTML entity encoding for HTML context, JavaScript encoding for JavaScript context).

4. Long-term Security: Implement regular security assessments and establish a patch management process to apply vendor security updates promptly.