web application – The input is reflected inside Javascript code between single quotes

I have started to learn about all Website Vulnerabilities lately.

today I started a scan on a school website of my town with Acunetix and it have found some Xss Bug like this:

URI was set to "onmouseover='nv7k(91772)'bad="
The input is reflected inside a tag parameter between double quotes      

and here is the Http request:

GET /admins/templates/ver5/?"onmouseover='nv7k(91772)'bad=" HTTP/1.1
Referer: http://www.nejabatbor.ir/
Cookie: wbopened=1630346429;poiusersession=6bqpaftaa490b6ko6jads3d8ua;poiadminsession=co81rer0uusvk9mqenjf 
0kip66;roundcube_sessid=i6in3brhfe2lteura1grv5hu7i
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Encoding: gzip,deflate
 Host: www.nejabatbor.ir
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
 Chrome/83.0.4103.61 Safari/537.36
 Connection: Keep-alive

And Http Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Aug 2021 18:19:33 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6514
Connection: keep-alive
Vary: Accept-Encoding,User-Agent
Original-Content-Encoding: gzip

<script src="https://security.stackexchange.com/templates/ver5/lib/popper.min.js?poiver"></script>
<link href="templates/ver5/lib/bootstrap.min.css?poiver" rel="stylesheet" />
<script src="templates/ver5/lib/bootstrap.min.js?poiver"></script>
<link href="templates/ver5/lib/fontawesome.min.css?poiver" rel="stylesheet" type="text/css" />
<link href="templates/ver5/lib/animate.css?poiver" rel="stylesheet" type="text/css" />
<script src="siteurljscripts/treeview/jquery.treeview.js?poiver" type="text/javascript"></script>
<link href="templates/ver5/lib/treeview.css?poiver" rel="stylesheet" type="text/css" />
<link href="templates/ver5/style.css?poiver" rel="stylesheet" type="text/css" />
<script>
    $(function () {
        $(document).ready(function () {
            $('(rel="tooltip")').tooltip();
            $(document).on("keydown", ":input:not(textarea):not(:submit)", function (event) {
                if (event.key == "Enter") {
                    //event.preventDefault();
                }
            });
        });
    });
</script>
<style>
    html,body {
        direction: poidirection!important;
        text-align: poileftright;
    }
    </style>
</head>
<body>
    <div id="tooltip"></div>
    <div class="wrapper scrollbar-dynamic">
        <header id="header" class="poibgpurple" >
            <div>
                                    <a rel="tooltip" title="Rahnama" href="#" onclick="javascript:void(window.open('http://help.ssch.ir/?"onmouseover='nv7k(91772)'bad="', '', 'width=900,height=500,left=0,top=0,resizable=yes,menubar=no,location=yes,status=yes,scrollbars=yes').focus());">
                        <i class="fas fa-question-circle" ></i>
                    </a>
                                                                                                                <a rel="tooltip" title="Increase Tools" class="toolbox-action" href="javascript:void(0);">
                            <i class="fas fa-cart-plus" onclick="window.location = '?app=buy'">
                            </i>
                        </a>
                                                                <a rel="tooltip" title="News" class="toolbox-action" href="javascript:void(0);" >
                            <i class="fas fa-bell" id="news" >
                            </i>
                        </a>
                                                    <div id="user-info" class="float-md-left" >
                    <span class="messages" id="expiredate">
                    </span>
                    <span class="messages">
                        <a href="javascript:void(0);">
                            </a></span>                 <a class="" style="color:#FFF;" href="index.php?task=logout" target="_parent">
                        <i class="fas fa-power-off"></i>
                    </a>
                </div>
            </div>
            <div style="white-space: nowrap;width: 100%; padding-top: 7px;">
                            </div>
        </header>
        <div class="al-content">
            <div id="ajaxcontent">
                            </div>
        </div>
        <script type="text/javascript">
            (function ($) {
                jQuery(document).ready(function () {
                    $('#ftp').click(function () {
                        //myDialogBoxOpen('File Managment', '<iframe style="width: 80%; height: 420px; border: none;" src="siteurljscripts/editor/plugins/elfinder/index.php?CKEditor=text&CKEditorFuncNum=1&langCode=fa"></iframe>');
                        window.open('siteurljscripts/editor/plugins/elfinder/index.php?CKEditor=text&CKEditorFuncNum=1&langCode=fa', 'window', 'help:no;toolbar=no,location=no,status=no,menubar=no,scrollbars=yes,resizable=yes,width=800,height=420,left=200,top=150;status:no;').focus();
                    });
                    /////////////////////
                    $('#sendmessage').live('click', function () {
                        $('#reciver').attr("disabled", true);
                        $('#messagestr').attr("disabled", true);
                        $('#sendmessage').attr("disabled", true);
                        var type = $('#type').val();
                        var query = "type=" + type + "&reciver=" + $('#reciver').val() + "&message=" + $('#messagestr').val();
                        var url = 'siteurl/admins/includes/sendmessage.php';
                        $.post(url, query, function (data) {
                            alert(data);
                            $('#reciver').removeAttr('disabled');
                            $('#messagestr').removeAttr('disabled');
                            $('#sendmessage').removeAttr('disabled');
                        });
                    });
                    $('.showsendmessage').click(function () {
                        var type = $(this).attr('rel');
                        var content = "<table><tr><td>Reciver :</td><td><input type="text" id="reciver" value=""  style="width:300px;text-align:left;direction:ltr;"/></td></tr>";
                        content += "<tr><td>Text:</td><td><textarea id="messagestr" style="width:300px;height:150px;"></textarea></td></tr></table>";
                        content += '<input type="hidden" id="type" value="' + type + '" />';
                        content += '<div align="center"><input type="button" id="sendmessage" value="Send" /><input type="button" onclick="closepage();" name="cancel" value="Cancel" /></div>';
                        $('#pageloader').html(content);
                        $('#pageloader').dialog({modal: true, width: 'auto', height: 'auto'});
                    });
                    $('#switchyear').change(function () {
                        Swal.fire({
                            title: 'change year for permanet?',
                            html: 'to Change name go to setting',
                            type: 'warning',
                            showCancelButton: true,
                            confirmButtonColor: '#3085d6',
                            cancelButtonColor: '#d33',
                            confirmButtonText: 'asdasd',
                            cancelButtonText: 'asdasd'
                        }).then((result) => {
                            if (result.value) {
                                document.location = document.location + '?&task=doswitchyear&theyear=' + $(this).val();
                            } else {
                                document.location = document.location + '?&app=initialdatas&view=settings&tab=3';
                            }
                        });
                    });
                    $('#forcebuyapp').change(function () {
                        jQuery.get('siteurladmins/includes/changeforcebuyapp.php?forcebuyapp=' + jQuery(this).val(), function (data) {
                            if (jQuery('#forcebuyapp').val() == '1') {
                                alert('ssss.');
                            }
                        });
                    });
                    $('#switchbranch').change(function () {
                        document.location = document.location + '&switchbranch=' + $(this).val();
                    });
                });
            })(jQuery);
            function checkexpiredate(expiredate) {
                var query = '';
                var url = 'siteurl/admins/includes/checkexpiredate.php?expiredate=' + expiredate + '&task=';
                jQuery.get(url, query, function (data) {
                    if (trim(data) != '') {
                        renewlink = 'https://www.twsh.ir/pay/?paymentid=sitedomain&name=  &title=REpay&desc=REpay&token=

The Link to the site: Vulnerabilitie Link

Can anyone explain if it is real? and if yes, what is it and how can anyone use this to attack.
(bye the way i changed some of the words in the http code from persian to English becouse the body dosnt allow persian words)