The msfweb interface does not adequately filter certain arguments, allowing a hostile web site operator to perform a cross-site scripting attack on the msfweb user.
The msfweb interface does not provide any access control functionality. If the service is configured to listen on a different interface (default is loopback), a malicious attacker could abuse this to exploit remote systems and potentially access local files. The local file access attack can be accomplished by malicious arguments to the payloads which use a local file as input and then exploiting a (fake) service to obtain the file contents.