Dawid Małecki

**Name of the Vulnerable Software and Affected Versions** Software versions prior to 11.1.x **Description** The application is vulnerable to Stored Cross-Site Scripting (XSS) in the endpoint "/sofer/DocumentService.asc/SaveAnnotation", where input data transmitted via the POST method in the parameters `author` and `text` are not adequately sanitized and validated. This allows for the injection of malicious JavaScript code. The vulnerability was identified in the function for adding new annotations while editing document content. **Recommendations** For versions prior to 11.1.x, update to a version above 11.1.x to resolve the issue. As a temporary workaround, consider restricting access to the "/sofer/DocumentService.asc/SaveAnnotation" endpoint or disabling the function for adding new annotations until a patch is available. Avoid using the parameters `author` and `text` in the affected API endpoint until the issue is resolved.