Cross Site Scripting have been my favorite vulnerability for all time, as XSS is very common to find in any website. in fact XSS is very dangerous Vulnerability. on OWASP's Top 10 Vulnerabilities of 2013 it is on 3rd. usually developer doesn't watch out for this vulnerability while building website. recently i have found 2 stored XSS on Vodafone! actually on vodafoneappstar.com, Vodafone App Star is an annual contest by vodafone to encourage developers to build apps for mobile platform. it is an international level contest by Vodafone.
every text field was not sanitized to handle XSS attacks, i have quickly move to my Gmail and wrote up mail to vodafone, and after few days i got a positive reply back..