[原文]Multiple cross-site scripting (XSS) vulnerabilities in Phorum before 5.0.15 allow remote attackers to inject arbitrary web script or HTML via (1) the subject line to follow.php or (2) the subject line in the user's personal control panel.
Discovery of this vulnerability is credited to Jon Oberheide <firstname.lastname@example.org>.
Phorum Phorum 5.0.14
Phorum is reportedly affected by multiple HTML injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.
The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.
These issues are reported to affect Phorum 5.0.14; earlier versions may also be affected.
No exploit is required.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: email@example.com <mailto:firstname.lastname@example.org>.