Name of the Vulnerable Software and Affected Versions: ezplatform-kernel (affected versions not specified)

Description: The issue allows uploading files like .html and .js, which may contain XSS exploits that will be executed when accessed by victims. This can be done through file upload by certain means.

Recommendations: To resolve the issue, add common types of scriptable file types to the configuration of the existing filetype blacklist feature by modifying the ezsettings.default.io.file storage.file type blacklist setting. This can be done manually without installing patched versions. It is essential to adapt this setting according to specific needs and not add file types to the blacklist that are required for upload. For example, if SVG files need to be uploaded, consider using an approval workflow for such content instead of blacklisting them.