hsweb-system-workflow-local is vulnerable to cross-site scripting (XSS). A lack of validation on the type
parameter in FlowableModelManagerController.java
allows a remote attacker to inject arbitrary Javascript into a victim’s browser to steal session token or perform unwanted actions on behalf of the user.