[原文]Cross-site scripting (XSS) vulnerability in stat.pl in StatsPlus 1.25 allows remote attackers to inject arbitrary web script or HTML via (1) HTTP_USER_AGENT or (2) HTTP_REFERER, which is written to stats.html and executed in client browsers.
StatsPlus contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'HTTP_USER_AGENT' or 'HTTP_REFERER' headers upon submission to the 'stat.pl' script. This information is written to the 'stat.html' file. This may allow a user to modify their HTTP request headers to contain arbitrary script code to execute in a user's browser within the trust relationship between their browser and the server.
Currently, there are no known upgrades, patches or workarounds available to correct this vulnerability.