[原文]Multiple cross-site scripting vulnerabilities in FishCart 3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) trackingnum, (2) reqagree, or (3) m parameter to upstracking.php or (4) nlst parameter to display.php. NOTE: the vendor was not able to reproduce some of the reported vectors but believes that they have been addressed. The original researcher is known to be unreliable.
FishCart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'nlst' variable upon submission to the display.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Despite the vendor not being able to reproduce the described vulnerability, they have released a patch to further enhance security precautions to prevent possible attacks.