Cbellone

**Name of the Vulnerable Software and Affected Versions** alf.io versions prior to 2.0-M5 **Description** The issue concerns an open source ticket reservation system for events. Prior to version 2.0-M5, the preloaded data as JSON is not escaped correctly. This allows an administrator or event admin to potentially break their own installation by inserting non-correctly escaped text. However, the Content-Security-Policy directive blocks any potential script execution. The texts for customization purposes are not properly escaped. **Recommendations** For versions prior to 2.0-M5, update to version 2.0-M5 to resolve the issue. As a temporary workaround, consider avoiding the use of non-escaped text in customization to minimize the risk of installation breakage.