Vulnerability found in file upload (Stored-XXS possible)

nopCommerce version: 4.50.3 (possibly also in other versions)
Description: Vulnerability found in file upload due to client-side ability to determine content-type.
The extension that are allowed is defined, but it can be overwritten in the POST.

We analyze the valid POST request to: POST /Admin/Picture/AsyncUpload
We change the Content-Type from image/gif to image/svg and the content of the file contains the XSS code.

The validation of the response is:
  
Now that you have an SVG file on the server, an already described vulnerability can be exploited as demonstrated here:https://infosecwriteups.com/stored-xss-using-svg-file-2e3608248fae
From the forum you can link to the file and run a Stored-XSS.

"http://localhost/images/thumbs/test.svg" rel="nofollow,ugc">http://localhost/images/thumbs/test.svg

We advise to have the content-type determined server-side to fix the vulnerability.
Please let us know if you require additional information.

We've already fixed it for public store. But we've decided to leave it for admin area because it doesn't make any sense for a store owner to "hack" its own store.

Thanks for applying the fix as described in https://github.com/nopSolutions/nopCommerce/issues/6378

It makes sense to secure it by default ;-)