In ocProducts Composr CMS prior to 10.0.38, an attacker can inject JavaScript via Comcode for XSS.
compo composr cms