Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.Referenceshttps://www.exploit-db.com/exploits/48626
