Sergey Tikhonov

Name of the Vulnerable Software and Affected Versions: Mephisto versions 0.7.3 and Edge 20070325 Description: A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `author name` field in a comment. This occurs in the `app/helpers/application helper.rb` file. Recommendations: For Mephisto version 0.7.3, update the `application helper.rb` file to properly sanitize the `author name` field. For Mephisto Edge 20070325, restrict access to the comment functionality until a proper fix is applied to sanitize the `author name` field.