Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
avatar vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2008-6502
Directory traversal vulnerability in Pro Chat Rooms 3.0.2 allows remote authenticated users to select an arbitrary local PHP script as an avatar via a .. (dot dot) in the avatar parameter, and cause other users to execute this script by using sendData.php to send a message to (1)...
Prochatrooms Pro Chat Rooms 3.0.2
1 EDB exploit
5.4
CVSSv3
CVE-2018-10268
An issue exists in FastAdmin V1.0.0.20180417_beta. There is XSS via the application\api\controller\User.php avatar parameter.
Fastadmin Fastadmin 1.0.0.20180417
8.8
CVSSv3
CVE-2020-18476
SQL Injection vulnerability in Hucart CMS 5.7.4 via the basic information field found in the avatar usd_image field.
Hucart Hucart 5.7.4
5.4
CVSSv3
CVE-2022-24868
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions before 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a resu...
Glpi-project Glpi
5.4
CVSSv3
CVE-2020-13248
BooleBox Secure File Sharing Utility prior to 4.2.3.0 allows stored XSS via a crafted avatar field within My Account JSON data to Account.aspx.
Boolebox Boolebox
NA
CVE-2011-5133
Unspecified vulnerability in MyBB prior to 1.6.5 has unknown impact and attack vectors, related to an "unparsed user avatar in the buddy list."
Mybb Mybb 1.6.0
Mybb Mybb 1.5.2
Mybb Mybb 1.4.8
Mybb Mybb 1.4.1
Mybb Mybb 1.4.15
Mybb Mybb 1.4.0
Mybb Mybb 1.3
Mybb Mybb 1.2.12
Mybb Mybb 1.2.9
Mybb Mybb 1.2.6
Mybb Mybb 1.2.5
Mybb Mybb 1.1.6
Mybb Mybb 1.1.1
Mybb Mybb 1.6.1
Mybb Mybb 1.6.2
Mybb Mybb 1.6.3
Mybb Mybb 1.5.1
Mybb Mybb 1.4.13
Mybb Mybb 1.4.12
Mybb Mybb 1.4.7
Mybb Mybb 1.4.5
Mybb Mybb 1.2.13
NA
CVE-2024-24028
Server Side Request Forgery (SSRF) vulnerability in Likeshop prior to 2.5.7 allows malicious users to view sensitive information via the avatar parameter in function UserLogic::updateWechatInfo.
NA
CVE-2005-0662
Cross-site scripting (XSS) vulnerability in index.php for MercuryBoard 1.1.2 allows remote malicious users to inject arbitrary web script or HTML via the Avatar field.
Mercuryboard Mercuryboard 1.1.2
9.8
CVSSv3
CVE-2016-11020
Kunena prior to 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.
Kunena Kunena
NA
CVE-2005-0743
The custom avatar uploading feature (uploader.php) for XOOPS 2.0.9.2 and previous versions allows remote malicious users to upload arbitrary PHP scripts, whose file extensions are not filtered.
Xoops Xoops 1.0 Rc1
Xoops Xoops 1.0 Rc3
Xoops Xoops 1.3.9
Xoops Xoops 2.0
Xoops Xoops 1.3.5
Xoops Xoops 1.3.6
Xoops Xoops 2.0.5
Xoops Xoops 2.0.5.1
Xoops Xoops 1.3.7
Xoops Xoops 1.3.8
Xoops Xoops 2.0.5.2
Xoops Xoops 2.0.9.2
Xoops Xoops 1.0 Rc3.0.5
Xoops Xoops 1.3.10
Xoops Xoops 2.0.1
Xoops Xoops 2.0.2
Xoops Xoops 2.0.3
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-34377
CVE-2024-20859
CVE-2023-49606
inject
arbitrary
CVE-2024-33788
CVE-2024-30973
IDOR
CVE-2024-33907
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
NEXT »