This issue is a clone of another one that was fixed in OD but left unfixed in BTF as "admin xss". It has been pointed out by several customers that this exploit requires only project admin level of privilege.

The following project description:

<script>alert(1)</script>

Pops up in the view project page, the admin page for the project, etc.