Remedy Mid Tier in BMC Remedy AR System 9.1 allows XSS via the ATTKey parameter in an arsys/servlet/AttachServlet request.
bmc remedy action request system