[unfed]

Combination of XSS and CSRF.

[benregenspan]

This seems like it's just plain XSS - it doesn't take advantage of a user's serverside session to forge an action on their behalf.