The one reported by FrSIRT is a cross site scripting flaw which allows injection of Javascript into pages.

Symantec haven't got back to me yet regarding their discovery.