Description
Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.
Remediation
References
Related Vulnerabilities
WordPress Plugin Slideshow Gallery LITE Cross-Site Scripting (1.7.3)
WordPress Plugin Modern Events Calendar Lite Security Bypass (5.1.6)
WordPress Plugin Book appointment online Cross-Site Scripting (1.38)
EspoCRM Improper Neutralization of Formula Elements in a CSV File Vulnerability (CVE-2022-38845)