A posting to the Full Disclosure mailing list claims an unpatched Cross Site Scripting vulnerability in Yahoo!'s mail
with example script code. Quoting the author
"i didnt contact yahoo, because i contacted them previously regarding a
similar vulnerability, and yes they fixed it "silently" without even
sending me a thank you email, frankly i didnt really appreciate that."
Oh and Happy Holidays.
Mailing List Post Link: Yahoo mail Cross Site Scripting vulnerability (Mail Posting)
