tDiary contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'plugin_tb_url' and 'plugin_tb_excerpt' parameters upon submission to the tb-send.rb plugin script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
Remote / Network Access
Loss of Integrity
Upgrade to version 2.2.3 or higher, as it has been reported to fix this vulnerability. It is also possible to temporarily work around the flaw by implementing the following workaround: Disable tb-send.rb or upgrade tb-send.rb to revision 3573 or higher.