There is a stored XSS in username.slack.com.
Steps to reproduce:
- Login to your Slack
- Goto "Create Private Group" and with any name and purpose
- Goto https://manish.slack.com/messages/group/files/
- Upload a file hitting upload icon (^) filename shall be "><img src=x onerror=alert(1);>.jpeg
- After file is uploaded click on the image or file title, JS will execute as the filename is considered as payload
I've attached the image showing XSS.