Mercur Messaging 2005 SP2 allows remote malicious users to read the source code of .ctml files via a URL with a trailing hex-encoded space ("%20").
mercur mercur messaging 2005_sp2