CVE-2010-5064 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in Virtual War (aka VWar) 1.6.1 R2 allow remote attackers to inject arbitrary web script or HTML via (1) the Additional Information field to challenge.php the (2) Additional Information or (3) Contact information field to joinus.php (4) the War Report field to admin/admin.php in a finishwar action or (5) the Nick field to profile.php.

Reference

http://dmcdonald.net/vwar.txt http://seclists.org/fulldisclosure/2010/Aug/235