Crossite scripting in WebMail, cleartext passwords in cookie :)
vulners.com/securityvulns/securityvulns:doc:3597