Dcianciullio

**Name of the Vulnerable Software and Affected Versions** Cross Reference Add-on version 36 for Google Docs **Description** An issue in the Cross Reference Add-on allows stored XSS in the preview boxes of the configuration panel. A malicious user can inject arbitrary JavaScript code using `SCRIPT` elements or event handlers via label text and references text. This code is stored by the plugin, potentially allowing the attacker to target anyone who opens the configuration panel. **Recommendations** For Cross Reference Add-on version 36, consider disabling the preview boxes in the configuration panel until a fix is available to prevent potential exploitation. Restrict access to the configuration panel to minimize the risk of stored XSS attacks. Avoid using the label text and references text fields in the configuration panel until the issue is resolved.