User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Steps to reproduce:
I did a test on the https://bugzilla-dev.allizom.org/show_bug.cgi?id=1629597 and found that I can upload a svg file and it is visible on a direct link. (Visible for all.. if you specify in the settings initially, that can be seen by everyone. But I didn't do it.)
This can be used as a typical stored xss. But..I didn’t test from an attacker's perspective.