@Micke1101 is right, CVE-2017-14396 was fixed in v1.10.1.
"In 1.10.1 there are CVE-2017-15362 and CVE-2017-15580, however, a malicious user must be logged in to be able to abuse these."For CVE-2017-15580, this isn't really an issue as we scan/check every file's extension, mime-type, size, etc. to ensure the file is what it says it is. If anything is mismatched with the exif data then we deny the file. As of now, we have no way of scanning an entire file and ensuring that all contents within it is "safe". We are actively looking into ways we can accomplish this though."In 1.10.1 there are CVE-2017-15362 and CVE-2017-15580, however, a malicious user must be logged in to be able to abuse these."As for CVE-2017-15362, the guy who reported this vulnerability to us gave little to no information on how he accomplished the XSS'ing. I tried and tried to replicate what he said was vulnerable but could not accomplish it. With this being said I'm no 1337 hacker so it could be possible. Still trying to get info from him lol"Any thoughts on question (or if it's made by design) suggestion 2?"The line that @Micke11
01 referenced states: // TODO: Consider CHMOD on the fileThis means that we haven't gotten to this yet and it's still under consideration/discussion.Thanks for the reports/concerns. Cheers.