Risk factor: Medium / CVSS Base Score 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
Credit: Jamieson O'Reilly
SecurityCenter contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the devform.php script, a development tool to interact with the API for testing purposes, does not validate the 'message' parameter upon submission. This may allow an unauthenticated attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server, when the victim clicked on the URL.
For existing installations, as an administrative user of the system, remove the 'devform.php' script from the server, or restrict access to the script.