PhpGedView is prone to a cross-site scripting vulnerability. Remote attackers may create malicious links to this script that include hostile HTML and script code. If such a link was followed by a victim user, the attacker-supplied code would be rendered in the security context of the site hosting the software.
This could be exploited to steal cookie-based authentication credentials. Other attacks are also possible.
This issue is reported to affect PhpGedView 2.61. Other versions are also likely affected.
PhpGedView contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate "firstname" variables upon submission to the search.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 2.65 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Note that 2.65 is currently only available as a beta release.