Lack of input validation on custom GUI/dashboard settings leads to potential XSS
There are a few fields that customize the dashboard and GUI that can be set globally on system.php or per-user on system_usermanager.php or system_user_settings.php. Of these, some allow configurable user input, including:
These fields rely on basic JS/select lists to enforce their values, which can be easily bypassed by a malicious client.
dashboardcolumns and likely the others can have a string inserted which can lead to a potential stored XSS.
These fields need to be validated on submission, and at least
dashboardcolumns needs to be sanitized before display.