Summary

In the latest v6.0.0 version, the endpoint /admin/comment/list does not encode user-controllable parameters when outputting them on the current page, resulting in Reflected XSS. This allows attackers to launch XSS attacks against administrator users.

POC

http://localhost:8888/admin/comment/list?startDate=&endDate=&username=1%22%3E%3Cimg+src%3D1+onerror%3Dalert%289%29%3E