In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. An authenticated unprivileged user can modify the uploaded file extension parameter to inject arbitrary JavaScript.
http://packetstormsecurity.com/files/153613/Sitecore-9.0-Rev-171002-Cross-Site-Scripting.html