The application image file upload allowed authenticated users to upload
malious .html files. Opening such a file like
https://push.gotify.net/image/ViaxrjzNowdgL-xnEfVV-Ggv5.html
would allow the attacker to execute client side scripts.
The application image upload will now only allow the upload of files
with the following extensions: .gif, .png, .jpg and .jpeg.
Jannis Mattheis