Beanstalk Console is vulnerable to reflected Cross-Site Scripting via the server parameter.
Setup the Beanstalk console locally.
Go to https://localhost/public/?
and add a random server.
Visit https://localhost/public/?server=%3Cimg%20src=x%20onerror=alert(document.domain)%3E
You can see that an alert pops up with the domain name confirming the reflected XSS