Cross-site scripting (XSS) vulnerability in all.php in Galatolo WebManager 1.3a and earlier allows remote attackers to inject arbitrary web script or HTML via the tag parameter.