In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution.
https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory