XSS vulnerability in multiple D+M group sites

According to my tests, the following D+M Group web-sites are vulnerable to reflected Cross-site Scripting (XSS):

• Denon - the following sites were tested:
• denon.co.uk 
• denon.de
• denoneu.com  
• denon.com.cn 
• usa.denon.com
• ca.denon.com
• denon.fi
• denon.ru
• denon-online.ch
• denon.jp
• denon.fr
• Marantz - the following sites were tested:
• marantz.co.uk
• marantzitaly.com  
• marantz.com.hk 
• allen-heath.com  
• mcintoshlabs.com 

Vendor status: notified and reported on 30-Sep-2011 to Global CMS Architect of D+M Group

Vendor response: thank you (however, vendor has not fixed any of the sites. Retested on 6-Oct-2012)

 Screen-shots of basic tests:

1) Allen-heath.com remote Javascript

2) Mcintoshlabs.com simple iframe 'injection''

3) Denon.de "login" form created with Javascript. Note: this is a generic test case. Real attacker would most likely mimic the site layout, colors and fonts.

4) Marantz.co.uk remote Javascript execution

5) Denon.fi basic XSS test using latest Chrome browser. Although some browsers have "anti-XSS" - features, there are known workarounds and "hacks". Developers should not trust browser security alone.