Multiple cross-site scripting (XSS) vulnerabilities in WebAPP 0.9.9.3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) action, (2) id, (3) num, (4) board, (5) cat, (6) real, (7) viewcat, (8) img, or (9) curcatname parameter in cgi-bin/index.cgi, or (10) vsSD parameter in /mods/calendar/index.cgi.
https://exchange.xforce.ibmcloud.com/vulnerabilities/25435
http://www.web-app.net/cgi-bin/index.cgi?action=redirectd&cat=pastversions&id=1
http://www.web-app.net/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=1
http://www.vupen.com/english/advisories/2006/1102
http://www.securityfocus.com/bid/17359
http://secunia.com/advisories/19506
http://pridels0.blogspot.com/2006/03/webapp-multiple-xss-vuln.html