Versions of iobroker.web
prior to 2.4.10 are vulnerable to Cross-Site Scripting. The package fails to escape URL parameters that may be reflected in the server response. This can be used by attackers to execute arbitrary JavaScript in the victim’s browser.
Upgrade to version 2.4.10 or later.