Some administrative actions for "Contact" profile-images lacked sufficient validation, making them vulnerable to a cross-site request forgery (CSRF).
CiviCRM version 5.64.3 and earlier
CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)
Upgrade to the fixed version of CiviCRM
Coleman Watts of CiviCRM.
Seamus Lee of JMA Consulting/CiviCRM.