On a German challenge site called theriddle.de I discovered an XSS vulnerability with (most likely) every form on the site. The vulnerability can be exploited through the URL like so:

http://theriddle.de/level01/b28ce87a-e45f-43d8-b2a1-feaf9169dbf9.php/"><script>alert(1)</script>

The above URL causes an alert box to appear.

The vulnerability is most likely due to the usage of the PHP global variable $_SERVER['PHP_SELF'] in the action attribute of forms. More information about PHP_SELF can be found in PHP Secure Coding Guidelines.

The site owner was informed on September 26 (although the vulnerability has not been patched yet at the time of this post).