Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
avatar vulnerabilities and exploits
(subscribe to this query)
8.8
CVSSv3
CVE-2020-20588
File upload vulnerability in function upload in action/Core.class.php in zhimengzhe iBarn 1.5 allows remote malicious users to run arbitrary code via avatar upload to index.php.
Ibarn Project Ibarn 1.5
8
CVSSv3
CVE-2020-12846
Zimbra prior to 8.8.15 Patch 10 and 9.x prior to 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox ...
Synacor Zimbra Collaboration Suite
Synacor Zimbra Collaboration Suite 8.8.15
Synacor Zimbra Collaboration Suite 9.0.0
5.4
CVSSv3
CVE-2023-49444
An arbitrary file upload vulnerability in DoraCMS v2.1.8 allow malicious users to execute arbitrary code via uploading a crafted HTML or image file to the user avatar.
Html-js Doracms 2.1.8
NA
CVE-2006-7080
Directory traversal vulnerability in the avatar upload feature in exV2 2.0.4.3 and previous versions allows remote malicious users to delete arbitrary files via ".." sequences in the old_avatar parameter.
Exv2 Content Management System
1 EDB exploit
6.1
CVSSv3
CVE-2021-35303
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote malicious users to execute arbitrary web script or HTML via the User Avatar attribute.
Zammad Zammad
9.8
CVSSv3
CVE-2020-19302
An arbitrary file upload vulnerability in the avatar upload function of vaeThink v1.0.1 allows malicious users to open a webshell via changing uploaded file suffixes to ".php".
Vaethink Vaethink 1.0.1
4.6
CVSSv3
CVE-2023-30791
Plane version 0.7.1-dev allows an malicious user to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.
Plane Plane 0.7.1
7.8
CVSSv3
CVE-2023-43838
An arbitrary file upload vulnerability in Personal Management System v1.4.64 allows malicious users to execute arbitrary code via uploading a crafted SVG file into a user profile's avatar.
Personal-management-system Personal Management System 1.4.64
1 Github repository
7.2
CVSSv3
CVE-2024-4439
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and ab...
2 Github repositories
NA
CVE-2006-5650
The ICQPhone.SipxPhoneManager ActiveX control in America Online ICQ 5.1 allows remote malicious users to download and execute arbitrary code via the DownloadAgent function, as demonstrated using an ICQ avatar.
Aol Icq 5.1
2 EDB exploits
1 Github repository
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-23316
SQL injection
type confusion
CVE-2024-20697
CVE-2024-4344
local
CVE-2024-30043
CVE-2024-3821
CVE-2024-5041
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
10
NEXT »