Hi,
The FileUpload web block, used to masks the File upload widget is vulnerable to a Reflected Cross-Site Scripting attack when a user uploads a file with a payload filename(file name e.g. - <img src=x onerror=alert(“XSS”)>).The file name is not being sanitized.
Thank you
Hello @José Pais
First of all, thanks for reaching out. This vulnerability is already in the backlog to be tackled on the next release under the code ROU-4661 for reference in the release notes.
Cheers,GM