60 matches found
CVE-2026-3111
Insecure Direct Object Reference IDOR vulnerability in Campus Educativa specifically at the endpoint '/archivos/usuarios/ID/username/thumbAAxAA.jpg' translated as 80x90 and 40x45. Successful exploitation of this vulnerability could allow an unauthenticated attacker to access the profile photos of...
CVE-2024-34468
Rukovoditel before 3.5.3 allows XSS via userphoto to My Page...
PT-2025-51028
Name of the Vulnerable Software and Affected Versions campcodes Online Student Enrollment System version 1.0 Description A flaw exists in campcodes Online Student Enrollment System that allows for unrestricted file upload. This issue affects the file '/admin/index.php?page=user-profile' and...
EUVD-2017-12025
Malware in sbrugna...
EUVD-2018-13298
Malware in sbrugna...
EUVD-2012-2900
Malware in sbrugna...
EUVD-2024-54954
Malicious code in bioql PyPI...
EUVD-2025-4446
Malicious code in bioql PyPI...
CVE-2024-49722
In showAvatarPicker of EditUserPhotoController.java, there is a possible cross user image leak due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
Google Android Information Disclosure Vulnerability (CNVD-2026-00039)
Google Android is a Linux-based open source operating system from Google. Google Android suffers from an information disclosure vulnerability due to cross-user image disclosure caused by an obfuscated proxy in the showAvatarPicker of EditUserPhotoController.java. An attacker can exploit the...
PT-2025-35619
Name of the Vulnerable Software and Affected Versions: EditUserPhotoController.java affected versions not specified Description: The showAvatarPicker function within EditUserPhotoController.java is susceptible to a confused deputy issue, potentially leading to local information disclosure...
CVE-2024-43082
In onActivityResult of EditUserPhotoController.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2023-30179
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection SSTI. An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrator...
CVE-2013-1916
In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called executed even if the photo has not been yet approved...
CVE-2024-54558
A clickjacking issue was addressed with improved out-of-process view handling. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15. An app may be able to trick a user into granting access to photos from the user's photo library...
CVE-2024-54558
CVE-2024-54558 describes a clickjacking issue related to out-of-process view handling. The flaw could allow an app to trick a user into granting access to the Photos Library. It affects Apple platforms and is fixed in macOS Sequoia 15, iOS 18, and iPadOS 18. The CVE’s base metrics show a low seve...
CVE-2024-13873
WP Job Portal for WordPress (plugin) is vulnerable up to version 2.2.8. An Insecure Direct Object Reference exists in deleteUserPhoto() due to missing validation of a user-controlled key, enabling authenticated users with Subscriber+ rights to remove profile photos from other user accounts. The i...
CVE-2024-13873 WP Job Portal <= 2.2.8 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.8 via the deleteUserPhoto function due to missing validation on a user controlled key. This makes it...
PT-2024-30282 · Google · Android
Name of the Vulnerable Software and Affected Versions: No specific software name or versions are mentioned in the provided descriptions. Description: The issue is related to a possible cross-user media read due to a confused deputy in the EditUserPhotoController. This could lead to local...
The vulnerability of the index.php?module=users/registration&action=save component of the Rukovoditel customer relationship management system allows a attacker to perform XSS attacks.
The vulnerability of the index.php?module=users/registration&action=save component of the Customer Relationship Management system’s administration interface lies in the lack of protection for the website structure when processing the userphoto parameter. Exploiting this vulnerability allows an...