There is another stored XSS when uploading files, this is because of incorrect file name handling when showing the file name.
Steps to reproduce:
1) Add a note to anyting (for example a bug Ticket)
2) Upload a file
3) Create a file called <img src=x onerror=alert(0)>.log
4) Upload <img src=x onerror=alert(0)>.log
5) XSS will be executed, then click on Save
6) Anyone that views the note will get the xss executed