[原文]Cross-site scripting (XSS) vulnerability in Cherokee before 0.4.8 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly quoted in the resulting error page.
Cherokee has been reported to contain a cross-site scripting vulnerability via error pages.
An attacker can exploit this issue by crafting a URI link containing the malevolent HTML or script code, and enticing a user to follow it. The attacker-supplied code may be rendered in the web browser of a user who follows the malicious link. Exploitation of this issue may allow for theft of cookie-based authentication credentials or other attacks.
Cherokee webserver contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate invalid URLs before they are provided to the user in an error message. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 0.4.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.