andrzuk/FineCMS before 2017-07-08 is vulnerable to a Stored XSS in application\core\controller\users.php and application\core\controller\logins.php.

First place: The View and Edit of User information is vulnerable to a Stored XSS.

Step 1:
Modify the information of any one user
Step 2:
Enter as shown below and click the Save button. payload :22222<svg/onload=alert()>"><svg/onload="alert()
Step 3:
After logging in to other users, click to view or edit the information that just modified the user.

Second place: The Main interface of User information is vulnerable to a Stored XSS. ##

Step 1:
Enter the following information when registering a user. Payload: 12<svg/onload=alert()>

Step 2:
When the administrator sees the registered user information.

Third place:The View of login log is vulnerable to a StoredXSS. ##

Step 1:
Enter payload at the user name and click Login. Payload:<svg/onload=alert()>

OR set payload in the User-Agent.
Step 2:
When the administrator view the login log.