Multiple cross-site scripting (XSS) vulnerabilities in clickstats.php in wwwstats 3.21 allow remote attackers to inject arbitrary web script or HTML via (1) the link parameter or (2) the User-Agent HTTP header.
https://exchange.xforce.ibmcloud.com/vulnerabilities/38925
http://www.timeprog.com/wwwstats/
http://www.securityfocus.com/archive/1/484727/100/0/threaded