The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the User Mapping Settings for account name of admin user.
https://www.tenable.com/security/research/tra-2019-13
https://securityadvisories.paloaltonetworks.com/Home/Detail/142