Some administrative actions for "Contact" profile-images lacked sufficient validation, making them vulnerable to a cross-site request forgery (CSRF).
CiviCRM version 5.64.3 and earlier
CiviCRM version 5.64.4, 5.65.0 and 5.63.4 (ESR)
Upgrade to the fixed version of CiviCRM
Ranjit Pahan
Coleman Watts of CiviCRM.
Seamus Lee of JMA Consulting/CiviCRM.
security/core#126
huntr.dev: d0896494-0642-40d2-8d49-8cf6c7d6e5c0