AChecker contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'id' parameter upon submission to the themes/default/language/language_add_edit.tmpl.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. Additionally, the program may disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

The original researcher has reported that a fix was released on 2011-11-15, but no details were provided.

• Related OSVDB ID: 74413 74414 74415 74416 74417
• Secunia Advisory ID: 45559
• Bugtraq ID: 49093
• Packet Storm: http://packetstormsecurity.org/files/103763
• Other Advisory URL: http://securityreason.com/wlb_show/WLB-2011080043
  http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5035.php

• Gjoko Krstic - Zero Science Lab

NVD does not currently have a CVSSv2 score assigned.