Improper Input Validation
Discription

# Description
At the `team update`(`https://ripob47346.getoutline.com/api/team.update`) and `user update`(`https://ripob47346.getoutline.com/api/users.update`) functions, `avatarUrl` was not verified as a correct url. The user can enter arbitrary values.

# Proof of Concept
`/api/team.update`
![/api/team.update](https://i.ibb.co/1ZHhJqC/team-update.png)
`/api/users.update`
![/api/users.update](https://i.ibb.co/f2KXs4h/users-update.png)

`Result:`
![Result](https://i.ibb.co/RypRF1G/UI.png)Read More

Back to Main

Subscribe for the latest news: