Cross-site scripting (XSS) vulnerability in Kasseler CMS before 2 r1232 allows remote authenticated users with permissions to create categories to inject arbitrary web script or HTML via the cat parameter in an admin_new_category action to admin.php.
https://exchange.xforce.ibmcloud.com/vulnerabilities/85408
http://packetstormsecurity.com/files/122282/Kasseler-CMS-2-r1223-CSRF-XSS-SQL-Injection.html