||width=" || " onMouseOver=alert(1) " ||test||
The vendor has been contacted, but has not replied to my report.
2010-04-19: Vendor contacted
2010-05-07: Published advisory
2010-05-09: Vendor releases 2.2.16
This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of schokokeks.org webhosting.