[原文]Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.0.105 allows remote attackers to inject arbitrary web script or HTML via a news or article post, possibly involving the (1) news_body, (2) article_description, or (3) article_body parameters to submit.php.
PHP-Fusion contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate news_body, article_description, and article_body variables upon submission to the submit.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 6.00.106 or higher, as it has been reported to fix this vulnerability. In addition, Nick Jones has released a patch for some older versions.