pfSense before 2.4.5 has stored XSS in systemusermanageraddprivs.php in the WebGUI via the descr parameter (aka full name) of a user.