By uploading and image with the title of
"><svg onload=alert(1)>.jpg and allowing anyone to edit the Document under collaboration settings, XSS can be triggered by any user attempting to edit the document.
- Log into marketplace and go to profile page. Select New > Document
- Enter anything as Description and and tags field
- Select visibility open to anyone
- Expand collaboration options and allow anyone to edit document. (This drastically increases security issue.)
- Choose to publish
- After publishing choose to Edit Document from the right hand menu and observe XSS.
Please see accompanying screenshots as POC
Please let me know if you need any more information. Cheers!