A stored XSS vulnerability is present on all file deposit mechanisms. In particular :
- the form for adding attachments to a document (dashboard, publications, etc.)
- the form used to change the profile picture.
An attacker can upload a file with .svg format with the following content :
An application of this vulnerability has already been made public for a few years: https://www.exploit-db.com/exploits/49437
Note: all forms that allow you to upload a file to the server are vulnerable.