Summary: An API call that is used to retrieve a user image on Tableau Server lacks an access control check resulting in the possibility for an authenticated user to obtain the image of a user on another site.
Impact: This vulnerability allows an authenticated user to obtain the image of a user on another site.
Vulnerable Versions: The following versions of Tableau Server are vulnerable
Tableau Server: 10.1 through 10.1.12 Tableau Server: 10.2 through 10.2.7 Tableau Server: 10.3 through 10.3.5 Tableau Server: 10.4 through 10.4.1 Tableau Server: 10.5 through 10.5.0
Resolution: The issue can be fixed by upgrading to the following version: