Any user can execute JavaScript code on an administrator user's account by simply changing their name into an XSS payload. This can be used to create a denial of service condition, or make the administrator perform unauthorised actions.
Steps to reproduce
Create a user with the lowest privileges
Navigate to the 'My Account' section of the application
Change the user's real name to a JavaScript payload, like asdf<img src=x onerror=alert(1)>
Log out of the account.
Log into an administrator account
Navigate to the user list in the administrator's console
Issue
Any user can execute JavaScript code on an administrator user's account by simply changing their name into an XSS payload. This can be used to create a denial of service condition, or make the administrator perform unauthorised actions.
Steps to reproduce
asdf<img src=x onerror=alert(1)>