Crucible server is vulnerable to stored xss via file upload within certain endpoint  A malicious, authenticated user with the ability to modify reviews can upload a malicious php file with an XSS payload.