[原文]Cross-site scripting (XSS) vulnerabilities in XMB Forum 1.8 Partagium allow remote attackers to insert arbitrary script via (1) the member parameter to member.php or (2) the action parameter to buddy.php.
XMB Forum has been reported prone to multiple cross-site scripting and HTML-injection vulnerabilities because the application fails to sanitize user-supplied data.
An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user.
XMB Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'action' variable upon submission to the 'buddy.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 1.8 Partagium Final SP1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.