weison-tech/yii2-rbac is vulnerable to cross-site scripting (XSS). The attack is possible because it does not sanitize a name filed to /contact.html
via protected\core\modules\home\models\Contact.php
, allowing an attacker to inject arbitrary script through it.