Undisclosed API endpoints may allow for a reflected Cross Site Scripting (XSS) attack. If the victim user is logged in as admin this could result in a complete compromise of the system. (CVE-2020-5901)
Impact
For the attack to occur, a user must visit a specially crafted URL that includes the specific target host name. If the exploit is successful, an attacker can run JavaScript in the context of the currently logged-in user. If the user is logged in as an administrator, the attacker may be able to completely compromise of the system.