Nifty-PM CPE 2.3 is affected by stored HTML injection. The impact is remote arbitrary code execution.