Cross Site Scripting vulnerability in Unit4 Financials by Coda before 2023Q4 allows a remote malicious user to run arbitrary code via a crafted GET request using the cols parameter.