An issue exists in Mautic 2.13.1. There is Stored XSS via the authorUrl field in config.json.
acquia mautic 2.13.1