[原文]Bitrix Site Manager 4.1.x allows remote attackers to redirect users to other websites via a modified back_url during a HTTP POST request. NOTE: this issue has been referred to as "cross-site scripting," but that is inconsistent with the common use of the term.
Bitrix Site Manager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'back_url' variable upon submission via HTTP POST requests to the Auth Form. This could allow a user to redirect users to malicious sites, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.