Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php in razorCMS before 0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the slab parameter in an edit action, (2) the catname parameter in a showcats action, and (3) the cat parameter in a reordercat action.
https://exchange.xforce.ibmcloud.com/vulnerabilities/49945
http://secunia.com/advisories/34744
http://razorcms.co.uk/support/viewtopic.php?f=13&t=325