Whilst looking for an answer to another problem I came across this article. Does anyone know the truth of this. The article notes there was no resolution to this in Sept 2104 since 2011
b2evolution comment_post.php cross-site scripting
b2evolution is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the comment_post.php script. A remote attacker could exploit this vulnerability using the p parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Base Score: 4.3
Access Vector: Network
Access Complexity: Medium
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
Temporal Score: 4.1
Remediation Level: Unavailable
Report Confidence: Uncorroborated
No remedy available as of September 1, 2014.
AutoSec Tools Web Site: b2evolution 4.0.3 Persistent Cross-site Scripting.
b2evolution Web site: b2evolution.
BID-46886: b2evolution Comment HTML Injection Vulnerability
OSVDB ID: 71192: b2evolution blogs/htsrv/comment_post.php p Parameter XSS
SA43725: b2evolution p Script Insertion Vulnerability
b2evolution b2evolution 4.0.3
Mar 15, 2011