Dinko Galetic and Denis Kasak reported the issue and the fix. (via https://hackerone.com/dgaletic).
Attach a file by drag & drop or click to upload