A cross site scripting (XSS) vulnerability exists in the Urchin 5 session controller as described in this Secunia advisory:
This vulnerability is present in Urchin 5.702 and earlier, and was addressed in Urchin 5.703.
Impact on Urchin Customers
This vulnerability can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of the site running Urchin.
Mitigation
This vulnerability was addressed in Urchin 5.703, which was released on April 4, 2005. All installed instances of Urchin 5 should be upgraded to Urchin 5.703, which can be obtained free of charge from:
IMPORTANT: there is an additional cross site scripting vulnerability in Urchin 5 that is not addressed by upgrading to Urchin 5.703. To completely address known Urchin 5 cross site scripting vulnerabilities, upgrade all Urchin 5 installations to Urchin 5.703 and then apply the Urchin 5.703 patch described in this help article: