A missing permission check in Jenkins Avatar Plugin 1.2 and previous versions allows attackers with Overall/Read access to change the avatar of any user of Jenkins.
jenkins avatar