Location of vulnerability:Line 187 in user.py

Severity: High (Similar rating to another similar app/use-case)

Description: Theavatar() method ofUserAPI() inuser.py allows for Directory Traversal and Information Disclosure. The method usesrequest.save() from Flask, but does NOT validate the filename (variablefname) for harmful characters first.

Remediation: Usepathlib.Path and explicit checks to validatefname before using. More information on potential implementation foundhere.