William Echlin

**Name of the Vulnerable Software and Affected Versions** QaTraq versions 6.5 RC and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in multiple files, including `top.inc`, `components copy content.php`, `components modify content.php`, `components new content.php`, `design copy content.php`, `design copy plan search.php`, `design modify content.php`, `design new content.php`, `design new search.php`, `download.php`, `login.php`, `phase copy content.php`, `phase delete search.php`, `phase modify content.php`, `phase modify search.php`, `phase view search.php`, and `products copy content.php`. The vulnerable parameters include `link print`, `link upgrade`, `link sql`, `link next`, `link prev`, `link list`, `msg`, `component name`, `component desc`, `title`, `version`, `content`, `plan title`, `plan content`, `plan name`, `plan desc`, `file name`, `username`, `password`, `minor version`, `new version`, `product name`, and `product desc`. **Recommendations** For QaTraq versions 6.5 RC and earlier, update to version 6.8 RC or later to resolve the issue.