Dradis prior to 4.8.0 allows persistent XSS by authenticated author users, related to avatars.
dradisframework dradis