Possible XSS vulnerability in web interface

Hello.

Recently we found out that some Javascript can be executed inside Carbonio web interface.

We had received mail with this code inside mail body

--!>"'><svg/onload=confirm('X')>';alert(1)//</style><script>confirm(1)</script><img src=x onerror=confirm(1)><iframe srcdoc="<script>confirm(1)</script>"></iframe>javascript:confirm(1)//</style><style>}body{background:url(javascript:confirm(1))};{color:expression(confirm(1))}</style><a href="javascript:confirm(1)">x</a><div style="color: expression(confirm(1))"></div><meta http-equiv="refresh" content="0;url=javascript:confirm(1)">

and two pop-ups with this text - Javascript from servername 1 - were shown when I just open this mail. I guess this looks like vulnerability.

Affected only Chrome-based browsers.

Steps to reproduce:

1. Receive the code above in separate email, or attach this code as EML file
2. Open email or attached EML file with this code
3. Javascript Pop-up shows up twice

What can we do to prevent this? Thank you

zmcontrol -v
Carbonio Release 26.3.1