[原文]Cross-site scripting (XSS) vulnerability in CFMagic Magic Forum Personal 2.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the Words parameter in search_forums.cfm, as used in the "Search For:" field.
Magic Forum Personal search_forums.cfm Words Parameter XSS
Remote / Network Access
Loss of Integrity
Magic Forum Personal contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'Words' parameter upon submission to the 'search_forums.cfm' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
OSVDB is not aware of a solution for this vulnerability.