Multiple cross-site scripting (XSS) vulnerabilities in RadScripts RadBids Gold 2 allow remote attackers to inject arbitrary web script or HTML via (1) the farea parameter to faq.php or the (2) cat, (3) order, or (4) area parameters to index.php.
https://exchange.xforce.ibmcloud.com/vulnerabilities/20038
http://www.securityfocus.com/archive/1/395527