There are multiple problems with Services (IT services):
- Create IT service with name "?" ) & alert(""XSS when deleted from Frontend, custom JS (alert in this PoC) is executed.
- IT service creation through API does not require any special permissions (as long as you can login).
Combination of two makes it a great place for persistent XSS attacks. Maybe we should fix API as well because user without permissions can create a mess in Services.