The mail message display page in SquirrelMail up to and including 1.4.22 has XSS via a "<form action='data:text" attack.
squirrelmail squirrelmail