Affects Version/s: 6.0.X EE, 6.1.0 CE GA1, 6.1.10 EE GA1, 6.2.0 CE M2
Steps to reproduce:
1)Upload the attached xss.html
2)Select the file, go to the information screen
On the right there is 3 links to allow for downloading the file: "Download (0.1k) Get URL or WebDAV URL"
3)Click the WebDAV URL, and copy paste the URL for that in a new tab in your browser
Note that the XSS popup is shown in the browser, instead of the file being downloaded as text.
When you click get URL and use the given URL, the file is properly downloaded and not shown as HTML.