TorrentFlux =93user_id=94 Script Insertion
Cross Site Scripting
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.
Data passed to the =93users=94 array is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an administrator=92s browser session in context of an affected site when the =93Activity Log=94 is viewed.
The vulnerability has been confirmed in version 2.1. Other versions may also be affected.
Edit the source code to ensure that input is properly sanitised.
echo =93=94.htmlentities($users[$inx], ENT_QUOTES).=94";