[原文]Cross-site scripting (XSS) vulnerability in the report viewer in Crystal Enterprise 8.5, 9, and 10 allows remote attackers to inject arbitrary web script or HTML via script in the URL to a report (RPT) file.
Fixes for specific platforms are available. Please see the referenced "URL to a RPT file may expose client-side source information with a script tag" knowledge base article for further information. Business Objects Crystal Enterprise 10.0
Crystal Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate URLs passed to RPT files. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Follow the upgrade instructions as given by the vendor as appropriate for the installed version and platform. An upgrade is required as there are no known workarounds.