«onTrack - IT Asset Management & Project Management» have no input field filtering, so we have a multiple XSS here.
PoC: Go to the demo website http://demos.codeniner.com/ontrack/?route=signin and login as admin. Choose section u want, like «Clients», «Inventory», «Projects», «Knowledge Base», etc. etc. Any input field that u can find inside this system is vulnerable, so use any payload u want, f.e.: "><img src="x" onerror="alert('cxsecurity');"> and it will work. Plus, .SVG files upload are allowed, so you can upload an «evil» .SVG with cookie stealer inside, for example.