Description

The XSS playload injected in the identities to create a new account leads to stored and reflected XSS in identities page and also in the logs page.

Steps to Reproduce

1. Go to admin/identities 

2.Enter the payload in the username, first name and last name as these fields are not sanatized 

3. This is the payload for triggering the XSS  "&gt;<img>  and you can see payload executed in both the accounts page 
 upon deletion action and the stored XSS will get triggered Logs page.

4. Please refer the POC for the same.

Proof of Concept

Drive link of POC

https://drive.google.com/file/d/1glc2cwyrmi_IwicJ5SD5n0Wuhi82AtEW/view?usp=sharing