A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.