Patch against XSS vunerability at module language.Details here:http://secunia.com/advisories/32278/Advisory/exploit here:http://packetstorm.linuxsecurity.com/0810-exploits/elxis-xss.txtThe exploit only affects sites that have the smart language switch parameter enabled in module language. How to patch Elxis 2008.0, 2008.1 rev2204 until an official patch is released:First of all you should have session.use_only_cookies = 1 in your php.ini to prevent session fixation.Now, open module language (modules/mod_language.php) to edit it.Go to line 65.Replace this:$replURI = preg_replace('/^([\/])/', '', urldecode($_SERVER['REQUEST_URI']));with this:$replURI = preg_replace('/^([\/])/', '', urldecode($_SERVER['REQUEST_URI']));$pat = "([\"]|[\']|[\<]|[\>]|[\*]|[\~]|[\`]|[\^]|[\|]|[\\\]|[\$]|[\;])";$replURI = preg_replace($pat, '', $replURI);$replURI = preg_replace('/(script)/i', '', $replURI);$replURI = preg_replace('/(mosconfig)/i', '', $replURI);Save the file and upload it to your site.Such kind of attacks can be easily prevented if you have Elxis Defender enabled!