io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API
The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. The severity of the vulnerability is mitigated by the fact that the application UI and the generic REST …