Discovered by s3cure Risk: small When we are logged on account we see: http://site.site/cgi-bin/openwebmail/openwebmail-main.pl?sessionid=yourlogin*-session-0.274744641575129&action=listmessages_afterlogin Now we can do small xss: http://site.site/cgi-bin/openwebmail/openwebmail-main.pl?sessionid=yourlogin*-session-here xss&action=listmessages_afterlogin Ofcourse we can do a lots of other things but ... It's now your job.