Dumbmoron

**Name of the Vulnerable Software and Affected Versions** cobalt versions prior to 10.2.1 **Description** A malicious cobalt instance could serve links with the `javascript:` protocol, resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit `66bac03e` and was mitigated in commit `97977efa` for correctly configured web instances. **Recommendations** For versions prior to 10.2.1, upgrade to version 10.2.1 or later to fully resolve the issue. For users unable to upgrade, enable a content-security-policy as a temporary mitigation measure.