In Joomla! Core prior to 3.8.8, inadequate filtering of file and folder names leads to various XSS attack vectors in the media manager.
joomla joomla\\!