There are multiple problems with Services (IT services):

1. Create IT service with name "?" ) & alert(""XSS when deleted from Frontend, custom JS (alert in this PoC) is executed.
2. IT service creation through API does not require any special permissions (as long as you can login).

Combination of two makes it a great place for persistent XSS attacks. Maybe we should fix API as well because user without permissions can create a mess in Services.