Cross Site Scripting(XSS) Vulnerability via upload in Latest Release 3.4.0a admin/upload.php

[Aquilao]

Hi, I would like to report Cross Site Scripting(XSS) Vulnerability via upload in latest release(3.4.0a) admin/upload.php.

Description:
Cross-site scripting (XSS) vulnerability in admin/upload.php
url:
http://localhost/admin/upload.php

There use blacklist, I can't upload some file like php、html, but I can Upload any extensions name not on the blacklist, like a.asd、b.lol. Browsers will interpret it as html, so we can execute JavaScript code.

payload:

<html>
<img src=x onerror=alert(1)> <--xss test
</html>

Upload XSS.lol and visit it.