Apereo CAS up to and including 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
apereo central authentication service