Found a security issue in catalog/includes/functions/whos_online.php
line 30:
$wo_last_page_url = getenv('REQUEST_URI');
Replace with:
$wo_last_page_url = htmlspecialchars(getenv('REQUEST_URI'));
This XSS Vulnerability affects the adminpanel->Whos online
a hacker could easily grab your admin cookie.