Data passed to the users array is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an administrators browser session in context of an affected site when the Activity Log is viewed.
cc67de8d3167145440b4ed145030b423dd22807da9517ae0f71cfb1c16061d66