This issue was identified and reported by Stefan Härter - OTOBO.
An authenticated agent with admin permission is able to create an XSS payload to Dynamic Field validation-messages.
The issue is fixed in the current release 6.0.37 / 6.1.2 . All download links can be found in the release notes 6.0.37 / release notes 6.1.2.
Please update as soon as possible.