QPR Portal versions 2014.1.1 and older contain reflected and stored cross-site scripting vulnerabilities, and versions 2012.2.0 and older contain an insecure direct object reference vulnerability.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
QPR Portal versions 2014.1.1 and older contain a stored cross-site scripting vulnerability (CVE-2014-8266) affecting the title and body fields of the note creation page. A reflected cross-site scripting vulnerability (CVE-2014-8267) affects the RID parameter.
A remote, unauthenticated attacker may be able to execute arbitrary script in the context of the end-user's browser session or perform unauthorized operations on other users' notes.
Apply an update
Thanks to Mukhammad Khalilov of HelpAG for reporting these vulnerabilities.
This document was written by Joel Land.