ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.
https://www.ilias.de/docu/goto_docu_pg_75029_35.html
https://www.exploit-db.com/exploits/43595/
https://github.com/ILIAS-eLearning/ILIAS/commit/c0f326d05231072e33679b84835c03d5043255cb