|
|
|
|
|
|
by NoFile
3395 days ago
|
|
|
Thanks for reporting the issue.
The XSS was related to the filenames. Although most operating systems don't allow users to upload files containing greater-than/less-than symbols, it's possible to add them by tampering the requests and changing the filename. From there you could change the filename to "<script>alert("xss")</script>" and run an XSS.
This has now been patched by encoding the characters. Once we're a bit more stable we'll be sure to release a bug bounty program. |
|
|