GHSA-HG25-W3VG-7279 XSS in the /download Endpoint of the JPA Web API
Impact The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be...