Multiple cross-site scripting (XSS) vulnerabilities in Leif M. Wrightβs Blog 3.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Referer and (2) User-Agent HTTP headers, which are stored in a log file and not sanitized when the administrator views the βLogβ page, possibly using the ViewCommentsLog function.