This was my first report, so it is a little mess. Let me explain: I found a XSS when I send a image in the support chat and change the image name to some script. The CSRF part you can ignore, since the hacker can inject XSS in the support, then send a message (as support) with the XSS image to ev…