In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS.
https://packetstormsecurity.com/files/164183/Cloudron-6.2-Cross-Site-Scripting.html
http://packetstormsecurity.com/files/164255/Cloudron-6.2-Cross-Site-Scripting.html