[原文]Multiple cross-site scripting (XSS) vulnerabilities in Slashdot Like Automated Storytelling Homepage (Slash) (aka Slashcode) before R_2_5_0_41 allow remote attackers to inject arbitrary web script or HTML via (1) the topic parameter in search.pl and (2) the filter parameter in submit.pl.
Slashcode contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'topic' variable upon submission to the 'search.pl' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to Slash CVS version R_2_5_0_41 and release version 2.2.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.