Description
Cross-site scripting (XSS) vulnerability in system/modules/comments/Comments.php in Contao CMS 2.9.2, and possibly other versions before 2.9.3, allows remote attackers to inject arbitrary web script or HTML via the HTTP X_FORWARDED_FOR header, which is stored by system/libraries/Environment.php but not properly handled by a comments action to main.php.
Remediation
References
Related Vulnerabilities
WordPress Plugin Hustle-Pop-Ups, Slide-ins and Email Opt-ins Cross-Site Scripting (4.7.0.5)
MediaWiki Improper Access Control Vulnerability (CVE-2015-8008)
WordPress Plugin Share Woocommerce to Email Cross-Site Scripting (1.0.1)
WordPress Plugin WordPress File Upload Multiple Unspecified Vulnerabilities (3.10.0)