Rating:

hmac doesn’t include iv -> XSS

Original writeup (https://grosquildu.github.io/writeups/2019/03/22/insomnihack/#securefileupload).