An authenticated user can embed malicious content with XSS into the admin group policy page.
Related posts