Products.PlonePAS is vulnerable to cross-site scripting (XSS) attacks. Attackers can insert Javascript through the home_page
property of their profile. When a user clicks the homepage link on the attackers author page, the script will get executed.