Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

avatar_uploader

Source -

CNANVD

CNA CVEs -

2

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

3
Related CVEsRelated VendorsRelated AssignersReports
4Vulnerabilities found
CVE-2022-50957
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.07% / 22.77%
||
7 Day CHG+0.01%
Published-10 May, 2026 | 12:12
Updated-26 May, 2026 | 11:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS

Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers.

Action-Not Available
Vendor-avatar_uploader
Product-avatar_uploader
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-9205
Assigner-Larry Cashdollar
ShareView Details
Assigner-Larry Cashdollar
CVSS Score-7.5||HIGH
EPSS-81.45% / 99.20%
||
7 Day CHG~0.00%
Published-04 Apr, 2018 | 15:00
Updated-05 Aug, 2024 | 07:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.

Action-Not Available
Vendor-Robbin ZhaoThe Drupal Association
Product-avatar_uploaderavatar_uploader
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2015-2087
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.44% / 63.79%
||
7 Day CHG~0.00%
Published-26 Feb, 2015 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors.

Action-Not Available
Vendor-avatar_uploader_projectn/a
Product-avatar_uploadern/a
CVE-2014-9155
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-4||MEDIUM
EPSS-0.68% / 72.20%
||
7 Day CHG~0.00%
Published-01 Dec, 2014 | 16:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the Avatar Uploader module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta6 for Drupal allows remote authenticated users to read arbitrary files via a .. (dot dot) in the path of a cropped picture in the uploader panel.

Action-Not Available
Vendor-avatar_uploader_projectn/a
Product-avatar_uploadern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')