Input fields allowing Markdown Input are vulnerable to XSS. This requires Superadmin permissions though.
Steps to reproduce:
1. Log in to the admin account
2. Go to Admin -> General Settings
3. Enter the Payload in the `Login Note` and `Dashboard Message` fields.
4. Go to the Dashboard & confirm the XSS in the dasboard message. Logout and confirm the XSS in the login message.
Payload:
[XSS](javascript:alert(document.location))