It is the first time, that external security specialists looked at the OpenPetra code, as far as I know.
They found a security issue, which is described here: https://huntr.dev/bounties/2fd892e2-01d2-448c-9eef-284d740ae2d4/
This issue only can be exploited, if an existing user enters malicious data into the system. The user must have access to the sponsorship module. The issue does not occur in the Contacts screen.
Nevertheless, we have fixed the problem both on the server side and on the client side.
You can check the commits related to this issue: https://github.com/openpetra/openpetra/issues/630
The latest binary tarball 2021.10.0.3 already contains the fix.
I have applied the fix to all OpenPetra systems that are maintained by myself (https://www.openpetra.com, https://demo.openpetra.org).