[原文]Cross-site scripting (XSS) vulnerability in the convert_highlite_words function in Invision Blog before 1.1.2 Final allows remote attackers to inject arbitrary web script or HTML via double hex encoded highlight data.
Invision Community Blog Module convert_highlite_words() Function XSS
Remote / Network Access
Loss of Integrity
Invision Community Blog contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the user input for script or HTML code with double hex encoded highlight data upon submission to the convert_highlite_words() function. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.