Chandlerchino

**Name of the Vulnerable Software and Affected Versions** ThinkSAAS version 2.91 **Description** An issue was discovered where there is a potential for XSS via the content to the "index.php?app=group&ac=comment&ts=do&js=1" URI. This can be demonstrated by a crafted SVG document in the `SRC` attribute of an `EMBED` element. **Recommendations** For ThinkSAAS version 2.91, as a temporary workaround, consider restricting access to the "index.php?app=group&ac=comment&ts=do&js=1" URI to minimize the risk of exploitation. Avoid using crafted SVG documents in the `SRC` attribute of an `EMBED` element until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.