[原文]Cross-site scripting (XSS) vulnerability in DiscusWare Discus Freeware 3.10.5 and Professional 3.10.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a URL, which is not properly sanitized from the resulting error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Discus Freeware and Discus Professional contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input before returning it in an error message. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
DiscusWare Discus Professional 3.10.4
DiscusWare Discus Freeware 3.10.5
DiscusWare Discus is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Discus Professional 3.10 and Discus Freeware 3.10 are vulnerable; other versions may also be affected.
To exploit this issue, an attacker must entice an unsuspecting user to follow a malicious URI.