Two flaws in Rapidleech allow to launch script attacks. Input passed to „link“ parameter in audl.php when „GO“ is set to „GO“ is not properly sanitised before being returned to a user. An attacker may exploit the flaw to launch arbitrary HTML and script code in browser session context when malicious website is visited.
Input data passed via „notes“ parameter to notes.php are not properly sanitised. An attacker may insert arbitrary HTML and script code that will be executed in user’s browser session in a context of malicious website.
Flaws were confirmed in version 2.3 rev42 SVN r385. Other editions may also contain these flaws.

Source: Secunia
03.01.2012