The application uses Purifier to avoid the Cross Site Scripting attack. However, On WidgetsManagement module from Settings, the "title"parameter is not validated and it’s used directly without any encoding or validation on Vitger/dashboards/ChartFilter.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.
https://gitstable.yetiforce.com/index.php?module=WidgetsManagement&parent=Settings&view=Configuration
Widgets" onfocus="alert(document.domain)" autofocus ""="
**Inject the payload
https://drive.google.com/file/d/1mqJq_e1sfnUyQ-amBujR2Bes2lUiQZVF/view?usp=sharing