Content displayed in the "card fields" (visible in the kanban and PV2 apps) is not properly escaped.
A malicious user with the capability to create an artifact or to edit a field used as a card field could force victim to execute uncontrolled code.
CVSSv3.1 score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
- Have a kanban with a selectbox of users in a card field (e.g. a "Assigned to" field)
- Set this field to a user having a realname like ""
- Display the kanban
OWASP Cross-site Scripting