[原文]Cross-site scripting (XSS) vulnerability in Comment.php in Serendipity 0.7 beta1, and possibly other versions before 0.7-beta3, allows remote attackers to inject arbitrary HTML and PHP code via the (1) email or (2) username field.
Serendipity contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the content off the email and username fields upon submission to the comment.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
'exit.php' and 'comment.php' do not properly validate user-supplied input in the 'entry_id' parameter
Upgrade to version 0.7.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.