CVE-2020-26679

Name of the Vulnerable Software and Affected Versions: vFairs version 3.3

Description: The issue allows any logged-in user to modify other users' profile information or profile picture in a vFairs virtual conference or event. By obtaining a user's unique identification number and their own, an attacker can make an HTTP POST request to update the profile description or supply a new profile image. This could lead to potential cross-site scripting attacks on any user or allow the upload of malicious PHP webshells as "profile pictures." The user IDs can be easily determined from other API responses for an event or chat room.

Recommendations: For vFairs version 3.3, consider restricting access to profile modification features until a proper fix is implemented to prevent unauthorized changes. As a temporary workaround, restrict the ability to update profile descriptions or upload new profile images to minimize the risk of exploitation.