FTAPI 4.0 – 4.10 allows XSS via a crafted filename to the alternative text hover box in the file submission component.
