[原文]Cross-site scripting (XSS) vulnerability in the failed login page in Novell iChain before 2.2 build 2.2.113 and 2.3 First Customer Ship (FCS) allows remote attackers to inject arbitrary web script or HTML via url parameter.
Novell iChain 2.2 build 2.2.113之前版本和2.3 First Customer Ship (FCS)的登录失败页面存在跨站脚本(XSS)漏洞。远程攻击者可以借助url参数注入任意web脚本或HTML。
Novell has released Technical Information Document (TID2968872) and iChain 2.2 Support Pack 3 Beta 1; this support pack contains a fix to address this and other issues. Please see the referenced Technical Information Document for further details regarding obtaining and applying this support pack. The vendor has reported that Novell iChain builds 2.2.113 and later are not prone to this issue. Users are advised to upgrade to the fixed versions by contacting the vendor.
Novell iChain contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "url" variables upon submission to the failed error login pages. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 2.2.113 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.