[原文]Cross-site scripting (XSS) vulnerability in modules/private_messages/index.php in PowerPortal 1.x allows remote attackers to inject arbitrary web script or HTML via the (1) SUBJECT or (2) MESSAGE field.
A vulnerability is reported for PowerPortal which may make it prone to HTML injection attacks. The problem is said to occur due to a lack of sufficient sanitization performed on private message data.
Specifically, when creating PowerPortal private messages, the subject field may not be sufficiently sanitized of malicious content. This may make it possible for an attacker to place HTML or script code within the subject field of a private PowerPortal message for another user.
PowerPortal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the subject and message variables upon submission to the modules/private_messages/index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.