TinyCheck before commits 9fd360d and ea53de8 allowed an authenticated malicious user to send an HTTP GET request to the crafted URLs.
kaspersky tinycheck