QPR Portal prior to 2012.2.1 allows remote malicious users to modify or delete notes via a direct request.
qpr portal