In ocProducts Composr CMS prior to 10.0.38, an attacker can inject JavaScript via the staff_messaging messaging system for XSS.
compo composr cms