Joan Bono

**Name of the Vulnerable Software and Affected Versions** TaskCafe version 0.3.2 **Description** The issue is related to a lack of validation in the Cookie value, which allows an unauthenticated attacker who knows a registered `UserID` to change the password of that user. This can be exploited by attackers without authentication, posing a significant risk. **Recommendations** For TaskCafe version 0.3.2, consider disabling the password reset functionality until a patch is available to prevent exploitation. Restrict access to the Cookie value to minimize the risk of unauthorized password changes. Avoid using the `UserID` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Taskcafe version 0.3.2 **Description** The issue is related to a lack of validation in the filetype when uploading a SVG profile picture with a XSS payload. An authenticated attacker can exploit this by uploading a malicious picture, which will trigger the payload when the victim opens the file. This allows for Cross Site Scripting (XSS) attacks. **Recommendations** For Taskcafe version 0.3.2, as a temporary workaround, consider disabling the upload of SVG profile pictures until a patch is available. Restrict access to the file upload feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.