Redmine prior to 4.0.7 and 4.1.x prior to 4.1.1 has XSS via the back_url field.
redmine redmine
debian debian linux 9.0