In Knowage up to and including 6.1.1, there is XSS via the start_url or user_id field to the ChangePwdServlet page.
eng knowage