Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter.
open-school open-school 3.0
open-school open-school 2.3