RunningSnail reported an XSS issue in the bundle Web Console.
After logining,I visit the page whose url is http://127.0.0.1:8080/system/console/bundles.
Then I click "Install/Update" and before uploading a jar file,I change the content of the "MANIFEST.MF" in the jar file.
So when an admin visit the page,he will be affected by the stored xss.
See attached images