A Cross-site Scripting (XSS) vulnerability exists in the admin/accountant.php file. The fields town, name, and Accountant code can be used to escape double quote protection.
town
name
Accountant code