elFinder < v2.1.63 - Filename Restriction Bypass Leading To Persistent Cross-site Scripting Vulnerability

A html file can be uploaded with .html.aaa or .htm.aaa file extensions. When the file is opened, it executes the Javascript code inside it. On the other hand, file uploading with the .html. and .htm. file extensions are enough to execute Javascript for Linux servers. The WinRemoveTailDots plugin prevents uploading these file extensions using rtrim function for Windows server.