CVE 2016-4866
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Project function.
See the 
CVE page on Mitre.org
for more details.
