Michail Poultsakis

**Name of the Vulnerable Software and Affected Versions** project-open[ (aka ]po[) versions 3.4.x through 3.5.0.2 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `message` parameter to the "register/account-closed" API endpoint. **Recommendations** For project-open[ (aka ]po[) versions 3.4.x through 3.5.0.2, consider restricting access to the `message` parameter in the "register/account-closed" endpoint until a patch is available.