[原文]Multiple cross-site scripting (XSS) vulnerabilities in myBloggie 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) year parameter in viewmode.php, or the (2) cat_id, (3) month_no, or (4) post_id parameter in index.php, which are not properly sanitized before they are displayed in an error message. NOTE: issues 2, 3, and 4 may be due to a problem in associated products rather than myBloggie itself.
myBloggie contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'year', 'cat_id', 'month_no' or 'post_id' variables upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 2.1.2 or higher, as it has been reported to fix this vulnerability. In addition, myWebland has released a patch for some older versions.