qdPM 9.1 suffers from Cross-site Scripting (XSS) via configuration?type=[XSS] parameter.

Source