An issue exists in the Comments plugin prior to 1.5.5 for Craft CMS. There is stored XSS via an asset volume name.
verbb comments