A recent advisory from Cisco details an unpatched flaw in its IOS HTTP server.
The flaw could allow execution of malicious code against the device, or other cross-site scripting attacks depending on conditions. A proof of concept exploit has been created which attempts to reset the password on affected devices.
The vulnerability and above mentioned exploit were originally posted to BugTraq on November 28.
Although a patch is not currently availableCisco has provided several workarounds on the advisory page for the interim.