An issue exists in XiaoCms 20141229. There is XSS via the largest input box on the "New news" screen.
xiaocms xiaocms 20141229