Xync

**Name of the Vulnerable Software and Affected Versions** Collabtive versions prior to 0.7.6 **Description** The issue allows remote authenticated users, and possibly unauthenticated attackers, to bypass intended access restrictions. This is achieved by uploading an avatar file with an accepted Content-Type, such as `image/jpeg`, and then accessing it via a direct request to the file in `files/standard/avatar`. This enables the upload and execution of arbitrary files. **Recommendations** For versions prior to 0.7.6, update to version 0.7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `manageuser.php` file and the `files/standard/avatar` directory to minimize the risk of exploitation. Avoid using the `manageuser.php` file to upload avatar files until the issue is resolved.