[原文]Cross-site scripting (XSS) vulnerability in links.php script in myPHPNuke 1.8.8, and possibly earlier versions, allows remote attackers to inject arbitrary HTML and web script via the (1) ratenum or (2) query parameters.
Reportedly, myPHPNuke 'links.php' does not adequately filter HTML code thus making it prone to cross-site scripting attacks. It is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of a legitimate user. All code will be executed within the context of the website running myPHPNuke.
This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software.
This vulnerability was reported for myPHPNuke 1.8.8 earlier versions may also be affected.
myPHPNuke contains a flaw that allows a remote cross site scripting attack. This flaw exists because the myPHPNuke does not adequately filter HTML code passed to 'links.php'. This could allow a user to create a malicious link containing script code that will be executed in the browser of a legitimate user within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.