[原文]Cross-site scripting vulnerability in DeepMetrix LiveStats 5.03 through 6.2.1 allows remote attackers to execute arbitrary script as the LiveStats user via the (1) user-agent or (2) referrer, which are not filtered by the stats program.
LiveStats parses web server log files into an SQL database, enabling a user to generate reports defining site traffic. The HTML generated reports are viewed through the LiveStats web browser interface. LiveStats runs on Microsoft Windows and is maintained by DeepMetrix, formerly known as MediaHouse Software.
LiveStats does not filter HTML tags when generating reports. As a result, it is possible for an attacker to cause arbitrary script code to be included in HTML reports generated by LiveStats. When a user views the report page via the browser interface, the script code will be executed in their browser, in the context of the LiveStats host.
This issue has been reported in 6.2, prior versions may also be affected by this issue.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.
The vendor has reported that this issue has been resolved as of version 6.2.2 of LiveStats.