An access control issue in a fallback price oracle contract.Under normal circumstances, Aave V3 will try to use chainlink oracle for getting price information...
By hiding a cross-site-scripting attack in the profile update functionality, specifically the profile image.Judging from the payload it looks like a straight-forward unescaped input that gets reflected on profile pages, though they did need to contend with Cloudflare's WAF...