Nextcloud: Unrestricted file upload on the image of contacts

When uploading an image for a contact, on the file upload pop up window it shows that it can accept all files of any data type. For my testing I uploaded a sample executable, named ‘SimpleCrackMe.exe’ which doesn’t do really do anything without passing parameters to it on a terminal when running it. The file was uploaded successfully.

Impact

An attacker could upload a dangerous executable file like a virus, malware, etc… If you don’t think this is a vulnerability, please let me close the report myself so that I don’t lose points