LavaLite up to and including 5.7 has XSS via a crafted account name that is mishandled on the Manage Clients screen.
lavalite lavalite