Cross-site scripting vulnerability in Cobalt RAQ 4 allows remote attackers to execute arbitrary script as other Cobalt users via Javascript in a URL to (1) service.cgi or (2) alert.cgi.
Packetstorm publication at https://packetstormsecurity.com/files/25837/Colbalt-RAQ-v4.txt.html
SecurityFocus publication at https://www.securityfocus.com/bid/4211
Alex Hernandez aka (@_alt3kx_)
The vendor was notified
Posted List^s Security cobalt:
cobalt-security@list.cobalt.com &
jlovell@sun.com
http://www.cobalt.com
Delete files cgi^s from the system, or disable its possible execution.