The application doesn’t check/filter the comments provided by the user before save to database. Attacker can’t insert js code to steal admin’s data but can insert html code, leads to many information security risks.
<img src="https://www.technistone.com/color-range/image-slab/Starlight%20Black_SLAB_web.jpg" width="2000" height="2000">
Attacker can insert html code to break the website format, phishing or collect the admin’s IP through loading images in img tags.