Description
All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2.
Published: 2026-01-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of another user's profile picture via IDOR
Action: Apply patch
AI Analysis

Impact

A vulnerability exists where an authenticated user can change another user's profile picture. This insecure direct object reference allows an attacker to replace or tamper with the profile image of any account they have access to, potentially defacing the user or conveying misleading information. The flaw does not expose sensitive data, but it violates data integrity and could undermine user trust.

Affected Systems

Askbot, version 0.12.2 and any earlier releases, running on Linux, macOS, or Windows. The issue specifically affects the 0.12.2 build cited in the advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. EPSS is less than 1%, suggesting low current exploitation likelihood, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker must be authenticated as a normal user and can exploit the flaw by submitting a request to update another user's avatar, implicitly referencing that user's object ID. The attack vector is through the web interface and requires no special privileges beyond those of a regular account.

Generated by OpenCVE AI on April 18, 2026 at 14:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Askbot to address the IDOR vulnerability.
  • If a patch is not yet available, modify the avatar update endpoint to verify that the target user ID matches the authenticated user and reject cross-user updates.
  • Enable logging of avatar change attempts and monitor for anomalous activity targeting other users.

Generated by OpenCVE AI on April 18, 2026 at 14:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r2jv-fwfr-4j8c askbot inexhaustive permissions check allows any user to modify a different user's profile picture
History

Tue, 14 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:askbot:askbot:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Description All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2.
Title Askbot 0.12.2 - Insecure Direct Object Reference (IDOR)
First Time appeared Askbot
Askbot askbot
Weaknesses CWE-639
CPEs cpe:2.3:a:askbot:askbot:0.12.2:*:linux:*:*:*:*:*
cpe:2.3:a:askbot:askbot:0.12.2:*:macos:*:*:*:*:*
cpe:2.3:a:askbot:askbot:0.12.2:*:windows:*:*:*:*:*
Vendors & Products Askbot
Askbot askbot
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Askbot Askbot
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-01-27T20:48:18.851Z

Reserved: 2026-01-19T21:32:48.977Z

Link: CVE-2026-1213

cve-icon Vulnrichment

Updated: 2026-01-27T20:48:15.393Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T14:15:55.887

Modified: 2026-04-14T14:58:57.673

Link: CVE-2026-1213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses