This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.