CVE-2012-3233

Name of the Vulnerable Software and Affected Versions Kayako Fusion versions 4.40.1148 through 4.50.1581

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. This is achieved via the PATH INFO in the swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download.php file.

Recommendations For versions 4.40.1148 through 4.50.1581, consider restricting access to the download.php file as a temporary workaround until a patch is available. Avoid using the PATH INFO to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.