COYO 9.0.8, 10.0.11 and 12.0.4 has cross-site scripting (XSS) via URLs used by "iFrame" widgets.
coyoapp coyo 10.0.11
coyoapp coyo 12.0.4
coyoapp coyo 9.0.8