Microsoft’s login.live.com suffered from an arbitrary text injection vulnerability.