Primary

Context

Askbot Insecure Direct Object Reference Vulnerability Allowing Unauthorized Profile Picture Changes

Vulnerability

Patched

A vulnerability exists in Askbot versions through 0.12.2, allowing authenticated users with normal permissions to change the profile pictures of other users. This issue arises from improper authorization validation in the avatar update process, enabling users to manipulate the user_id parameter and alter avatars of any user.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user profile pictures, potentially leading to misuse of avatars or impersonation.

Reproduction

The vulnerability can be reproduced by an authenticated user with normal permissions. Intercept the POST request used to upload a profile picture and modify the user_id parameter to target another user. The request can then be sent to update the avatar of the selected user.

Remediation

Users can update to Askbot version 0.12.3, which addresses this vulnerability by improving authorization checks in the avatar management feature.

Added: Jan 27, 2026, 2:19 PM

Updated: Jan 27, 2026, 3:02 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.4

remediation

7.7

relevance

2.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.4

remediation

7.7

relevance

2.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Askbot Insecure Direct Object Reference Vulnerability Allowing Unauthorized Profile Picture Changes

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Askbot

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating