In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter.
sitecore cms 8.2