Cross-site scripting (XSS) vulnerability in admin/currencies.php in osCSS 1.2.2, and probably earlier versions, allows remote attackers to inject arbitrary web script or HTML via the page parameter.