[原文]Cross-site scripting (XSS) vulnerability in ColdFusion Fusebox 4.1.0 allows remote attackers to inject arbitrary web script or HTML via the fuseaction parameter, which is not quoted in an error page, as demonstrated using index.cfm.
Fusebox was reported to contain a flaw allowing a remote cross site scripting attack. The initial disclosure indicated that the index.cfm script was prone to XSS attacks via the 'fuseaction' variable. Subsequent reports indicate that the Fusebox framework does not output any URL parameters to HTML and as such, would not render script code. The initial report appears to be the result of an implementation error, specific to a site or product not specified. The Fusebox framework itself is not responsible for this attack.
The vulnerability reported is incorrect. No solution required.