SPIP < 1.8.2e - Cross-Site Scripting via Lang Parameter
Cross-site scripting (XSS) vulnerability in index.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
DotClear - SQL Injection via dc_xd Cookie Parameter
SQL injection vulnerability in session.php in DotClear before 1.2.3 allows remote attackers to execute arbitrary SQL commands via the dc_xd parameter in a cookie.