MyMarket is prone to cross-site scripting attacks.
HTML tags and script code are not sanitized from CGI variables which may cause user-supplied input to be displayed. As a result, an attacker can create a link to a site running the vulnerable software which contains malicious attacker-supplied HTML and script code.
When this link is visited, the attacker-supplied code will execute in the user's web client in the security context of the site hosting the software.
MyMarket contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'noticemsg' parameter upon submission to the 'form_header.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
OSVDB is not aware of a solution for this vulnerability.