Multiple cross site vulnerabilities have been discovered in the TAO Open Source Assessment Platform v3.3.0 RC02. The vulnerabilities allow remote attackers to inject malicious script codes on the application-side (persistent) of the vulnerable service module. The vulnerability is located in the `name` and `description` value of the `create` module. Remote attackers are able to inject own malicious script codes to the application-side of the vulnerable module. The execution of the script code occurs in the `list` module of the `create` module. The request method to inject is POST and the attack vector is located on the application-side.