Hi Jeremy,
Thank you for bringing this to our attention!
As a short-term patch, you can update /cmsb/lib/init.php at line 649 from this:
alert(sprintf(t("Updating Program Url to: %s")."<br>\n", $SETTINGS['adminUrl']));
to this:
alert(sprintf(t("Updating Program Url to: %s")."<br>\n", htmlencode($SETTINGS['adminUrl'])));
This should - at a minimum - remove the XSS vulnerability reported, though we'll also be doing a review of some underlying factors and will release this and any additional security fixes in the next version of CMSB.
Let me know if you have any further questions!
Thanks again,
Daniel
Technical Lead
interactivetools.com