[原文]Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) lang parameter in (a) index_list.php and (2) year, (3) month, and (4) day parameter in (b) registration.php.
ATutor registration.php Multiple Variable POST Method XSS
Remote / Network Access
Loss of Integrity
ATutor contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'year', 'month' and 'day' variables upon submission to the registration.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 1.5.3_pl1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.