Yahoo! Messenger 5,0,0,1064 and previous versions allows remote malicious users to execute arbitrary script as other users via the addview parameter of a ymsgr URI.
yahoo messenger 5.0