Microsoft SQL Server SQLXML XML tag script injection

Microsoft SQLXML, included as part of Microsoft SQL Server 2000 Gold or available as a separate add-on component for SQL Server, could allow a remote attacker to execute arbitrary script on the system, caused by improper validation of the "Root" parameter in an XML SQL query. SQLXML is a component used to exchange Extensible Markup Language (XML) data with a SQL server. A remote attacker could include malicious script within the "Root" parameter of an XML SQL query. This would allow the attacker to create a link on a Web page that calls a vulnerable XML SQL query. After the victim clicks the link, the script would be executed in the victim's Web browser within the security context of the local Intranet Zone, once a reply is received from the SQL Server running the SQLXML component.

http://xforce.iss.net/xforce/xfdb/9329