Most developers often miss out on sanitizing the uploaded image name parameter. Attackers are executing stored cross-site scripting attacks in the application.

For more details: blog.entersoftsecurity.com/vulnerability-xss-in-image-name