iManager plugin versions 1.2.8 build 02012008 and below suffer from a cross site scripting vulnerability when parsing user input to the 'dir' parameter via GET method in 'random.php' and 'phpThumb.demo.random.php'. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
4c4c2b763221737d36a6acfffd6dbb477bc08d64d63061a263200f70c4504d7a