Security fix for Cross-Site Scripting Vulnerability
Open global.php and search for
$mode = (isset($HTTP_POST_VARS['mode'])) ? stripslashes(trim($HTTP_POST_VARS['mode'])) : stripslashes(trim($HTTP_GET_VARS['mode']));
in Version 1.7.2 and 1.7.3 or
$mode = (isset($HTTP_GET_VARS['mode'])) ? stripslashes(trim($HTTP_GET_VARS['mode'])) : stripslashes(trim($HTTP_POST_VARS['mode']));
in Version 1.7.1 and 1.7.
Add the following line below
$mode = preg_replace("/[^a-z0-9]+/i", "", $mode);