I have the "Portlet for a fast work log" on my personal dashboard.
Recently, I noticed that when rendering this view, HTML does not get
escaped, allowing injection of html and javascript code by modifying a
title of an issue that. E.g., if you create an issue with the title:
<script type="text/javascript">alert("Yeah Baby")</script>
and then go back to the dashboard, the javascript is executed and the
alert window appears.
Since this allows one user to execute code in the browser context of a
different use, I would file this under "security issue" rather than
"nuissance"...