A stored xss in tianma-static module versions <=1.0.4 allows an attacker to execute arbitrary javascript.