Lucene search
K

60 matches found

ATTACKERKB
ATTACKERKB
added 2026/03/16 9:37 a.m.3 views

CVE-2026-3111

Insecure Direct Object Reference IDOR vulnerability in Campus Educativa specifically at the endpoint '/archivos/usuarios/ID/username/thumbAAxAA.jpg' translated as 80x90 and 40x45. Successful exploitation of this vulnerability could allow an unauthenticated attacker to access the profile photos of...

6.9CVSS5.8AI score0.00261EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/09 9:36 a.m.7 views

CVE-2024-34468

Rukovoditel before 3.5.3 allows XSS via userphoto to My Page...

6.1CVSS5.8AI score0.00342EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2025/12/12 12:0 a.m.7 views

PT-2025-51028

Name of the Vulnerable Software and Affected Versions campcodes Online Student Enrollment System version 1.0 Description A flaw exists in campcodes Online Student Enrollment System that allows for unrestricted file upload. This issue affects the file '/admin/index.php?page=user-profile' and...

7.2CVSS4.9AI score0.00338EPSS
Exploits1References10
EUVD
EUVD
added 2025/10/07 12:30 a.m.7 views

EUVD-2017-12025

Malware in sbrugna...

7.8CVSS7.6AI score0.01379EPSS
Exploits2References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.8 views

EUVD-2018-13298

Malware in sbrugna...

6.1CVSS6.1AI score0.00861EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2012-2900

Malware in sbrugna...

4.3CVSS6.4AI score0.02165EPSS
Exploits0References8
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2024-54954

Malicious code in bioql PyPI...

5.5CVSS6.6AI score0.00108EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-4446

Malicious code in bioql PyPI...

4.3CVSS9.2AI score0.00302EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/09/04 10:32 p.m.3 views

CVE-2024-49722

In showAvatarPicker of EditUserPhotoController.java, there is a possible cross user image leak due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

5.5CVSS5.4AI score0.00108EPSS
Exploits0References1
CNVD
CNVD
added 2025/09/04 12:0 a.m.4 views

Google Android Information Disclosure Vulnerability (CNVD-2026-00039)

Google Android is a Linux-based open source operating system from Google. Google Android suffers from an information disclosure vulnerability due to cross-user image disclosure caused by an obfuscated proxy in the showAvatarPicker of EditUserPhotoController.java. An attacker can exploit the...

5.5CVSS6.2AI score0.00108EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/09/02 12:0 a.m.3 views

PT-2025-35619

Name of the Vulnerable Software and Affected Versions: EditUserPhotoController.java affected versions not specified Description: The showAvatarPicker function within EditUserPhotoController.java is susceptible to a confused deputy issue, potentially leading to local information disclosure...

5.5CVSS5.8AI score0.00108EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2025/05/23 6:32 a.m.7 views

CVE-2024-43082

In onActivityResult of EditUserPhotoController.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

5.5CVSS6.2AI score0.00101EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 2:40 a.m.3 views

CVE-2023-30179

CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrator...

7.2CVSS7.3AI score0.02203EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 11:23 a.m.6 views

CVE-2013-1916

In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called executed even if the photo has not been yet approved...

8.8CVSS6.8AI score0.1214EPSS
Exploits1References1
NVD
NVD
added 2025/03/10 7:15 p.m.29 views

CVE-2024-54558

A clickjacking issue was addressed with improved out-of-process view handling. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15. An app may be able to trick a user into granting access to photos from the user's photo library...

2.8CVSS0.00196EPSS
Exploits0References2
CVE
CVE
added 2025/03/10 7:11 p.m.54 views

CVE-2024-54558

CVE-2024-54558 describes a clickjacking issue related to out-of-process view handling. The flaw could allow an app to trick a user into granting access to the Photos Library. It affects Apple platforms and is fixed in macOS Sequoia 15, iOS 18, and iPadOS 18. The CVE’s base metrics show a low seve...

2.8CVSS5.4AI score0.00196EPSS
Exploits0References2Affected Software3
CVE
CVE
added 2025/02/22 3:20 a.m.56 views

CVE-2024-13873

WP Job Portal for WordPress (plugin) is vulnerable up to version 2.2.8. An Insecure Direct Object Reference exists in deleteUserPhoto() due to missing validation of a user-controlled key, enabling authenticated users with Subscriber+ rights to remove profile photos from other user accounts. The i...

4.3CVSS4.3AI score0.00302EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2025/02/22 3:20 a.m.10 views

CVE-2024-13873 WP Job Portal <= 2.2.8 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.8 via the deleteUserPhoto function due to missing validation on a user controlled key. This makes it...

4.3CVSS4.3AI score0.00302EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2024/11/13 12:0 a.m.4 views

PT-2024-30282 · Google · Android

Name of the Vulnerable Software and Affected Versions: No specific software name or versions are mentioned in the provided descriptions. Description: The issue is related to a possible cross-user media read due to a confused deputy in the EditUserPhotoController. This could lead to local...

5.5CVSS6.1AI score0.00101EPSS
Exploits0References6
BDU FSTEC
BDU FSTEC
added 2024/05/13 12:0 a.m.9 views

The vulnerability of the index.php?module=users/registration&action=save component of the Rukovoditel customer relationship management system allows a attacker to perform XSS attacks.

The vulnerability of the index.php?module=users/registration&action=save component of the Customer Relationship Management system’s administration interface lies in the lack of protection for the website structure when processing the userphoto parameter. Exploiting this vulnerability allows an...

4CVSS5.4AI score0.00589EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder