The REQUEST_URI was assigned as the value of a hidden field in the login form without proper escaping resulting in a reflected cross-site scripting bug. Browsers were mitigating the issue and IE was only impacted if XSS protection was disabled. We've improved the sanitization of this field.
The value of
REQUEST_URI was not correctly sanitizing user input, in this case, double-quotes. However, due to URL encoding, this was only exploitable in IE.
Upserve handled this report quickly and professionally. I am looking forward to working with them again in the future.