Currently content of the log files is assumed to be safe. This assumption is incorrect as the log file might include messages from content entered by users in search form or other input fields on the site and therefore must be escaped.
While the issue impact with properly secured access to AdminCentral (protect access to .magnolia URI from public net) is minimal, I'm setting priority to critical and will push the fix into next maintenance release. Protecting the .magnolia URI means that even should the attacker potentially obtain the session cookie, (s)he would not be able to login to the AdminCentral unless being in the range of addresses from which access is allowed.

Workaround:

• do not use log viewer in the AdminCentral, but view the log files directly in the file system.