In Exponent CMS prior to 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php.
exponentcms exponent cms