Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
avatar vulnerabilities and exploits
(subscribe to this query)
8.8
CVSSv3
CVE-2018-11392
An arbitrary file upload vulnerability in /classes/profile.class.php in Jigowatt "PHP Login & User Management" prior to 4.1.1, as distributed in the Envato Market, allows any remote authenticated user to upload .php files to the web server via a profile avatar field...
Jigowatt Php Login \\& User Management
5.4
CVSSv3
CVE-2018-10268
An issue exists in FastAdmin V1.0.0.20180417_beta. There is XSS via the application\api\controller\User.php avatar parameter.
Fastadmin Fastadmin 1.0.0.20180417
7.5
CVSSv3
CVE-2018-9205
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
Drupal Avatar Uploader 7.x-1.0
1 EDB exploit
7.5
CVSSv3
CVE-2017-1000419
phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar function resulting allowing an malicious user to perform port scanning, requesting internal content and potentially attacking such internal services via the web application.
Phpbb Phpbb 3.2.0
6.1
CVSSv3
CVE-2017-16881
b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON objects, as demonstrated by a crafted userAvatarURL value to /settings/avatar, related to processor/AdminProcessor.java, processor/ArticleProcessor.java, processor/UserProcessor.java, service/ArticleQueryService...
Symphony Project Symphony 2.2.0
5.4
CVSSv3
CVE-2017-15284
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.
Octobercms October 1.0.425
1 EDB exploit
6.1
CVSSv3
CVE-2017-8778
GitLab prior to 8.14.9, 8.15.x prior to 8.15.6, and 8.16.x prior to 8.16.5 has XSS via a SCRIPT element in an issue attachment or avatar that is an SVG document.
Gitlab Gitlab 8.16.0
Gitlab Gitlab 8.15.0
Gitlab Gitlab 8.15.1
Gitlab Gitlab 8.15.2
Gitlab Gitlab 8.15.3
Gitlab Gitlab 8.16.2
Gitlab Gitlab 8.16.4
Gitlab Gitlab 8.15.4
Gitlab Gitlab
Gitlab Gitlab 8.16.1
Gitlab Gitlab 8.16.3
Gitlab Gitlab 8.15.5
5.4
CVSSv3
CVE-2017-5494
Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution up to and including 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame.
B2evolution B2evolution
NA
CVE-2015-2217
Multiple cross-site scripting (XSS) vulnerabilities in Ultimate PHP Board (aka myUPB) prior to 2.2.8 allow remote malicious users to inject arbitrary web script or HTML via the (1) q parameter to search.php or (2) avatar parameter to profile.php.
Myupb Ultimate Php Board 2.2.7
NA
CVE-2015-2087
Unrestricted file upload vulnerability in the Avatar Uploader module prior to 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors.
Avatar Uploader Project Avatar Uploader
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
SSTI
CVE-2024-35863
CVE-2024-35910
man-in-the-middle
CVE-2024-35912
CVE-2024-25742
LFI
CVE-2024-32002
CVE-2024-22120
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
4
5
6
7
8
9
10
NEXT »