Daniel Celis

**Name of the Vulnerable Software and Affected Versions** openSIS Classic version 9.3 **Description** An insecure direct object reference in the messaging module allows authenticated users with access to that module to request sent-message details. This is achieved by supplying an arbitrary `mail id` value to the 'modules/messaging/SentMail.php' endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** askbot versions prior to 0.12.2 **Description** An authenticated attacker with normal user permissions can modify the profile picture of other application users. **Recommendations** Update to a version later than 0.12.2.