The application does not check the file upload and content file extension. This results in an attacker being able to upload a malicious file that leads to xss.
Video POC:
https://drive.google.com/file/d/1QZSCvgrmdXaZb7xoD-eA0iLlL7vDPKYw/view?usp=sharing
<img src>