The pagetree plugin is vulnerable for XSS injecting the code in the treeId field.
Note: this only works if the acestors and pageId are actual ids of pages in the system.
IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the
vulnerability to publicly available security forums such as CERT (www.cert.org). Our policy is to give
you at least 30 days grace period prior to any public disclosure.