openCRX 5.2.0 exists to contain an HTML injection vulnerability for Search Criteria-Activity Number (in the Saved Search Activity) via the Name, Description, or Activity Number field.
Vulmon