Hi *,
since quite some time a XSS in the "Add a new course" seems to be published / registered via the following CVE:
https://nvd.nist.gov/vuln/detail/CVE-2017-7298
To me it looks like this is matching the "XSS" FAQ available here:
Still it could make sense to clarify your view on this with the researcher:
http://www.daimacn.com/index.php/post/12.html
or mitre:
to get this CVE corrected / updated. Thanks