The vulnerability exists in NoteMark version 0.13.0 and below. By injecting a malicious payload into a note and rendering it using the 'Rendered' tab, an attacker can execute arbitrary JavaScript code in the context of the user's session.
BitsCast crashes when receiving a RSS 2.0 feed item with an invalid string in sub-element 'pubDate'.