A malicious actor can store and distribute malicious files on D365. Also, an attacker might be able to upload malicious executables or malicious documents and execute commands in the victim user's browser, including operations in the application on behalf of the victim user or exfiltrating sensitive information, such as a session identifier. 

Please consider applying the following constraint regarding the file upload functionality:

• Malware scanning should be implemented on all uploaded files.