1. At first, go to setup/install.php page
2. put the XSS payload into the first name and last name user input field.
3. Fill the other details and click on 'continue', As there is no validation those malicious javascript will store in the database and an agent account will be created.
4. Now login as that agent and navigate to "agents" tab where you can find the inserted payload in the first name and Lastname field.
5. Now click on the first name value and see the payload gets executed.