phpList prior to 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.
phplist phplist