para-core is vulnerable to cross-site scripting. The vulnerability exists because the compileMustache
function of Utils.java
does not properly escape the HTML when compiling mustache templates, allowing an attacker to inject and execute malicious javascript.