IBM warns of a moderately critical flaw in Web Experience Factory. It can be exploited to launch script injection attacks. The vulnerability is due to unspecified input that is not sanitised properly before being used in Smart Refresh component. It can be exploited to inject arbitrary HTML and script code that can be executed in user’s browser context when viewing malicious data on crafted website.
The flaw was reported in versions 7.0.0.2 and 7.0.1.2.
Users should install interim patches LO65984_WPF7002 or LO65985_WEF7012.

Source: Secunia
31.01.2012