It's possible to inject script into message and to acces username/password.
vulners.com/securityvulns/securityvulns:doc:4792
vulners.com/securityvulns/securityvulns:doc:4816
vulners.com/securityvulns/securityvulns:doc:5246
vulners.com/securityvulns/securityvulns:doc:5257
vulners.com/securityvulns/securityvulns:doc:6596
vulners.com/securityvulns/securityvulns:doc:6604
vulners.com/securityvulns/securityvulns:doc:8861