Cross-site scripting (XSS) vulnerability in news_show.php in Newanz NewsOffice 2.0.18 allows remote attackers to inject arbitrary web script or HTML via the n-cat parameter.