The location endpoint is not sanitized which leads to the Stored Cross Site Scripting (XSS)
1. Login as a standard user [non-admin] > Asset page > List All
https://drive.google.com/file/d/1qymhc6sMe9EeS2bOe4CE2XTAbzFkgHao/view?usp=drive_link
2. Click to open any asset > Edit Asset
https://drive.google.com/file/d/14a5UoZ1K6KQgIp6xZq5JJZpBwuhVPbPS/view?usp=drive_link
3. Create new location and add the payload: <script>alert("Testing")</script> and save the asset
https://drive.google.com/file/d/1bUB94JO9EsbdZ1qbKVVHip2mARJ5Sp-W/view?usp=drive_link
https://drive.google.com/file/d/199_wIhmlvs6Zkx1Q-vJr8MjS9u0yB18o/view?usp=drive_link
4. Now login to the Admin account > Asset page > List All
https://drive.google.com/file/d/1ZoQXQhtWLlq4_Jqp2KesTNp73F3MnQro/view?usp=drive_link
5. Open the same asset of which you can change the location and the payload will get executed.
https://drive.google.com/file/d/18QXuJRZ0gh_wUegp5JI2EpK1g2jCF4CC/view?usp=drive_link
Video POC: https://drive.google.com/file/d/1ELndiBIkWu6nIfib2p-uXqsTALABC2F8/view?usp=sharing