ExpressionEngine 1.4.1 does not sanatize the HTTP_REFERER variable. This can be used to post HTTP query with fake Referrer value which may contain arbitrary html or script code. This code will be executed when administrator(or any user) will open Referrer Statistics.
269640d9a1082ed07f4dc3684cbd7cf0264bdf5992ad0cf57f58bf4c5ed91008