[原文]Direct static code injection vulnerability in editcss.php in Gravity Board X (GBX) 1.1 allows remote attackers to execute arbitrary PHP code, HTML, and script via the csscontent parameter, which is directly inserted into the gbxfinal.css file.
Gravity Board X editcss.php Template Edit Arbitrary Command Execution
Remote / Network Access
Loss of Integrity
Gravity Board X contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'editcss.php' not properly sanitizing user input supplied. This may allow a remote attacker to arbitrary manipulate the template and execute arbitrary commands resulting in a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.