The report is kind of concerning to read, particularly having XSS in this kind of app. The report was not meant to be exhaustive and fixing those vulns isn't some kind of implicit tick of approval.