I've asked the devs to take a look at this. 1.9.3 is already out though and did address some xss vuls.Also that page says 1.9.1 in the url, the breadcrumbs, and Cpe Name:/a.9.1. However the description of the vul states 1.9.2. This could already be fixed with these:1.9.2Fix XSS vulnerability in phone number widget (#1025)Fix several XSS vulnerabilities in client and staff interfaces (#1024, #1025)
1.9.3
Fix XSS vulnerability in user name (#1108, #1131)