HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
hrsale hrsale 2.0.0