My bad.
However - and please check me here - it appears there were 2 XSS vulnerabilities approximately a month apart.
(As they added them both to their database on 29 Jan 2020, have similar names, combined with it showing one ‘fixed in 2.7.7’ which as you both say should read v2.7.6 , that threw me a bit.)
2.7.6 – 2019-12-08 changelog
Fix: Added HTML escaping to Admin class and to System Info
yes that one looks like it is fixed in v2.7.6
2. Authenticated Reflected XSS
2.8.5 – 2020-01-27 changelog
Fix: Added data sanitization on System Info
that could still be a problem in the earlier version.
Possibly the problem was introduced after v2.7.6 but I have not looked at source code yet.
I know some of you may be running this in production.
This approach may help:
-
look at changes between v2.8.5 and v2.8.4 (i.e. try to isolate the security fix)
-
identify the problematic code and see if it exists in v2.7.6 [if not, no problem]
-
if it does, try to fix v2.7.6
Sorry for the confusion. 
