Key Information About the Vulnerability CVE: CVE-2021-3863 Vulnerability Type: CWE-79: Cross-site Scripting (XSS) - Generic Severity: Medium (5.5) - Attack vector: Network - Attack complexity: Low - Privileges required: Low - User interaction: Required - Scope: Unchanged - Confidentiality: Low - Integrity: Low - Availability: Low Description The vulnerability allows arbitrary execution of JavaScript through file uploads. Reproduction Steps XSS at Filename 1. Go to the detail of one asset. 2. At the "File" tab, choose to upload a file with a filename containing the payload: . XSS When Uploading .SVG (If SVG File Types Are Allowed and Don't Have an Extension) 1. Go to the detail of one asset. 2. At the "File" tab, choose to upload a file with the payload embedded in the SVG content. Impact This vulnerability can potentially steal a user's cookie and gain unauthorized access to the user's account via the stolen cookie. Timeline and Resolution Vulnerability reported on Oct 5th, 2021. Maintainer validated the vulnerability and awarded the disclosure bounty. A patch was implemented shortly afterwards, and the fix bounty was awarded. The CVE was published.