Vignette software has been reported prone to multiple cross-site scripting vulnerabilities.
Reportedly the issue presents itself, because the Vignette software does not sufficiently sanitize HTML characters from user-supplied data.
It may be possible for an attacker to supply and execute HTML and script code on a web client in the context of the site hosting the Vignette software. This may allow for theft of cookie-based authentication credentials and other attacks.
This issue was reported for Vignette StoryServer version 4 to version 6; it has been speculated that all current versions are vulnerable.