14 matches found
EUVD-2019-4746
Malware in sbrugna...
CVE-2025-24969 iTop portal user can see any other contact's picture
iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue...
CVE-2019-13239
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture...
User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR
The plugin was affected by an IDOR issue, allowing users with the uploadimage capability by default author and above to change and delete the profile pictures of other users including those with higher roles. Use a proxy such as Burp Suite to capture the request made when change your own profile...
User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR
The plugin was affected by an IDOR issue, allowing users with the uploadimage capability by default author and above to change and delete the profile pictures of other users including those with higher roles. PoC Use a proxy such as Burp Suite to capture the request made when change your own...
FreeBSD : glpi -- stored XSS (d222241d-91cc-11ea-82b8-4c72b94353b5)
MITRE Corporation reports : inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from the FreeBSD VuXML database : Copyright 2003-2020 Jacques Vidrine and contributors...
Fedora 30 : glpi (2019-a1636592a3)
GLPI version 9.4.4 This is a security release, upgrading is highly recommended Non exhaustive list of changes : - security Prevent account takeover vulnerability , - security Prevent execution of XSS on rich text, - fix cache key lenght issues, - fix user picture removal at login, - several fixes...
CVE-2019-13239
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture...
CVE-2019-13239
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture...
UBUNTU-CVE-2019-13239
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture...
Cross site scripting
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture...
CVE-2019-13239
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture...
glpi -- stored XSS
MITRE Corporation reports: inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture...
Profile picture thumbnail generation can consume unlimited amount of memory
Discovered a Studio customer, you can upload a very large profile picture to expose the same problem as CONF-21480, just in a different area of the application. We should limit the size of images we're willing to load into memory to avoid this problem with user pictures...