I discovered a DOM XSS vulnerability in AVG and it's located on download section of the oficial website.
Due to the lack of escaping/encoding the URL on the code present on file js_stdfull.js, a user could inject code into the website.
//display the correct tab based on the url (#name)
var pathname = $(location).attr('href');var urlparts = pathname.split("#");
Proof of concept:
http://www.avg.com/eu-en/download#"><img src=x onerror=prompt(/xss/);>
This XSS vector worked fine with Chrome but you could changed it to work with other browsers also.
This issue is already been fixed but didn't got any reply from their team.