The application allows .svg files to upload which lead to stored XSS
1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing and upload it on your profile.
2.Now open the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )
3.Then XSS will trigger for allowing malicious svg extension.
https://drive.google.com/file/d/1_KOXMP_-jMhF4jEtg6XI_NopDNp5ZRCM/view?usp=sharing
This allows attackers to execute malicious scripts in the userβs browser and it can lead to session hijacking, sensitive data exposure, and worse.