Multiple cross-site scripting (XSS) vulnerabilities in open-flash-chart.swf in Open Flash Chart 2, as used in the VideoAds plugin in Revive Adserver before 3.2.2, allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) data-file parameter.