the portrait of uploading by malware.
The changeMemberPortrait and deletePersonalPortrait lack security declarations, enabling any anonymous internet user to change and delete portraits on Plone sites at will.
The following curl command would replace the curl -F portrait=@[path_to_file] --form-string member_id=[username] http://szgy.org/portal_membership/changeMemberPortrait
accomplish this! the Visit that Plone Content Management System at
logged-in members to These methods furthermore lack all checks of alter portraits for fellow portal members at will even with declarations. to make sure no portraits are altered by third parties even if security declarations were in place, making it possible
Further risks include the attacker: of a Plone.org user with a file chosen for the spreading of malicious JPEGs or other images that trigger bugs in Internet Explorer, allowing attackers to abuse Plone sites
