The application uses Purifier to avoid the Cross Site Scripting attack. However, On LayoutEditor module from Settings, the type of fieldModel->label parameter is “Text” but it is not validated and it’s used directly without any encoding or validation on LayoutEditor/EditField.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.
https://gitstable.yetiforce.com/index.php?module=LayoutEditor&parent=Settings&view=Index
LayoutEditor" onfocus="alert(document.domain)" autofocus ""="
**Inject the payload
https://drive.google.com/file/d/1TCHCCuLC_3pJ9VMaDvRWmlab58eOY8aI/view?usp=sharing