mt-comments.cgi in Movable Type prior to 3.2 allows malicious users to redirect users to other web sites via URLs in comments.
six apart movable type 3.16
Vulmon