Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
avatar vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2020-20588
File upload vulnerability in function upload in action/Core.class.php in zhimengzhe iBarn 1.5 allows remote malicious users to run arbitrary code via avatar upload to index.php.
Ibarn Project Ibarn 1.5
7.5
CVSSv2
CVE-2005-0743
The custom avatar uploading feature (uploader.php) for XOOPS 2.0.9.2 and previous versions allows remote malicious users to upload arbitrary PHP scripts, whose file extensions are not filtered.
Xoops Xoops 1.3.6
Xoops Xoops 2.0.5.1
Xoops Xoops 2.0.2
Xoops Xoops 2.0.5.2
Xoops Xoops 1.3.10
Xoops Xoops 1.3.5
Xoops Xoops 2.0.9.2
Xoops Xoops 2.0.3
Xoops Xoops 1.0 Rc1
Xoops Xoops 1.3.9
Xoops Xoops 1.0 Rc3.0.5
Xoops Xoops 2.0.1
Xoops Xoops 1.3.7
Xoops Xoops 1.0 Rc3
Xoops Xoops 2.0
Xoops Xoops 2.0.5
Xoops Xoops 1.3.8
6
CVSSv2
CVE-2020-12846
Zimbra prior to 8.8.15 Patch 10 and 9.x prior to 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox ...
Synacor Zimbra Collaboration Suite 8.8.15
Synacor Zimbra Collaboration Suite
Synacor Zimbra Collaboration Suite 9.0.0
NA
CVE-2023-49444
An arbitrary file upload vulnerability in DoraCMS v2.1.8 allow malicious users to execute arbitrary code via uploading a crafted HTML or image file to the user avatar.
Html-js Doracms 2.1.8
4.3
CVSSv2
CVE-2006-7080
Directory traversal vulnerability in the avatar upload feature in exV2 2.0.4.3 and previous versions allows remote malicious users to delete arbitrary files via ".." sequences in the old_avatar parameter.
Exv2 Content Management System
1 EDB exploit
7.5
CVSSv2
CVE-2020-19302
An arbitrary file upload vulnerability in the avatar upload function of vaeThink v1.0.1 allows malicious users to open a webshell via changing uploaded file suffixes to ".php".
Vaethink Vaethink 1.0.1
4.3
CVSSv2
CVE-2021-35303
Cross Site Scripting (XSS) in Zammad 1.0.x up to 4.0.0 allows remote malicious users to execute arbitrary web script or HTML via the User Avatar attribute.
Zammad Zammad
NA
CVE-2023-30791
Plane version 0.7.1-dev allows an malicious user to change the avatar of his profile, which allows uploading files with HTML extension that interprets both HTML and JavaScript.
Plane Plane 0.7.1
NA
CVE-2023-43838
An arbitrary file upload vulnerability in Personal Management System v1.4.64 allows malicious users to execute arbitrary code via uploading a crafted SVG file into a user profile's avatar.
Personal-management-system Personal Management System 1.4.64
1 Github repository
NA
CVE-2024-4439
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and ab...
2 Github repositories
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27802
template injection
CVE-2024-0044
code injection
CVE-2024-35474
CVE-2024-27857
CVE-2024-23251
CVE-2024-23692
physical
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
10
NEXT »