An issue exists in ZrLog 2.0.3. There is stored XSS in the file upload area via a crafted attached/file/ pathname.
zrlog zrlog 2.0.3