The avatar image upload was not properly sanitized
The avatar image upload was not properly sanitized
- Any content may be uploaded and displayed instead of an avatar image.
- It can be manipulated with the avatar name of PNG file.
This can result in malicious code uploading, even executing system commands or user phishing campaign.
PoC: https://gitlab.com/uploads/-/system/user/avatar/4736912/custom_title_insted_default_one.png