[原文]Cross-site scripting (XSS) vulnerability in Symantec Web Security 2.5, 3.0.0, and 3.0.1 before build 62 allows remote attackers to inject arbitrary web script or HTML via the query string in blocked URLs that are listed in (1) error or (2) block page messages.
Symantec Web Security contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not check HTML tags in URLs included in block page messages displayed to the client. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 3.0.1 (build 62) or higher, as it has been reported to fix this vulnerability. Note that Symantec fixed the flaw in 3.0.1 without incrementing the version number, so any 3.0.1 build earlier than 62 is vulnerable. It is also possible to correct the flaw by implementing the following workaround(s): The Symantec Web Security default block pages can be modified to not return the offending URL to the client.