While I was pentesting a web application, I found out that files that are uploaded to the web application are stored in an AWS S3 instance. Based on my experience, when a web application needs to store all types of files, including files with potential malicious extensions (.php, .exe, .js and etc.), they will not allow the AWS S3 instance to view/execute the file content on the server, so they will automatically download the file instead of running it. Surprisingly, the AWS S3 instance is configured to view/execute all types of files. So, when I tried uploading a .html file, the HTML tags are executed. Other than uploading .html files and creating my own HTML page, what are other security concerns/exploits that can be done through the misconfigured AWS S3 Instance?
Additional Information: I was able to upload .html and .js file and execute it on the AWS S3 instance