LocalTapiola: Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage

Hi, I am pretty sure that I found a vulnerability similar to https://hackerone.com/reports/135154. An adversary can use the "Lähetä viesti"-functionality of the LähiTapiola Asiakassalkku to send a malicious file. When the customer service opens the file, an XSS will execute and will leak user IP...