The application allows .svg files to upload which leads to stored XSS
1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing
2.Login to the application with Co-admin account and go to “Settings” -> “Image Manager” and upload the downloaded “XSS.svg” payload.
3.Then login with admin account and go to “Settings” -> “Image Manager” and select the “XSS.svg” and open it on a new tab or open the uploaded location you will see that XSS will trigger and this can lead to the admin account takeover.
https://drive.google.com/file/d/1jdjUHuQPG0xVR3pImcg3vT4cuxhIEuBi/view?usp=sharing