Two flaws in HomeSeer HS2 allows to launch cross-site request forgery (CSRF) and script insertion attacks. The first vulnerability is due to improper sanitization of data passed via the URL. It allows attacker to execute arbitrary HTML and script code in user’s session.
The software allows also to perform certain HTTP requests without verification, so an attacker may entice user to visit malicious website and launch commands in victim’s system.
Flaws were found in versions 2.5.0.23. Other versions may be vulnerable also.

Source: Secunia
12.12.2011