diff --git a/workflow/engine/methods/users/users_ViewPhotoGrid.php b/workflow/engine/methods/users/users_ViewPhotoGrid.php
index 0b8b9a6d6..0c24287be 100644
--- a/workflow/engine/methods/users/users_ViewPhotoGrid.php
+++ b/workflow/engine/methods/users/users_ViewPhotoGrid.php
@@ -2,89 +2,63 @@
 
 use ProcessMaker\Model\User;
 
-
-if (($RBAC_Response = $RBAC->userCanAccess( "PM_LOGIN" )) != 1)
+if (($RBAC_Response = $RBAC->userCanAccess( "PM_LOGIN" )) != 1) {
     return $RBAC_Response;
+}
 
-$direction = PATH_IMAGES_ENVIRONMENT_USERS . $_REQUEST['pUID'] . ".gif";
-//	header('Pragma: ');
-//	header('Cache-Control: cache');
+// Validate transversal path in pUID parameter
+$pUID = basename($_REQUEST['pUID']); // Elimina path traversal
+$pUID = preg_replace('/[^a-zA-Z0-9_-]/', '', $pUID); // Solo caracteres seguros
 
+if (empty($pUID)) {
+    $filename = PATH_HOME . 'public_html/images/user.gif';
+} else {
+    $filename = PATH_IMAGES_ENVIRONMENT_USERS . $pUID . ".gif";
+}
 
-if (! file_exists( $direction )) {
+// Verify if user image exists, if not, try to get it by USR_UID, if still not found, use default user image
+if (!file_exists($filename)) {
     $user = new User();
     $filters = array(
         'limit' => 1,
         'fields' => ['USR_UID'],
-        'conditions' => [['USR_ID', '=', $_REQUEST['pUID']]]
+        'conditions' => [['USR_ID', '=', $pUID]]
     );
     $result = $user->show($filters);
     if ($result['total'] == 1){
-        $direction = PATH_IMAGES_ENVIRONMENT_USERS . $result['data'][0]['USR_UID'] . ".gif";
-        if (! file_exists( $direction )) {
-            $direction = PATH_HOME . 'public_html/images/user.gif';
+        $filename = PATH_IMAGES_ENVIRONMENT_USERS . $result['data'][0]['USR_UID'] . ".gif";
+        if (!file_exists($filename)) {
+            $filename = PATH_HOME . 'public_html/images/user.gif';
         }
     } else {
-        $direction = PATH_HOME . 'public_html/images/user.gif';
+        $filename = PATH_HOME . 'public_html/images/user.gif';
     }
 }
 
-G::sendHeaders( $direction );
-
-DumpHeaders( $direction );
-
-/*
- * This function is verified to work with Netscape and the *very latest*
- * version of IE.  I don't know if it works with Opera, but it should now.
- */
-function DumpHeaders ($filename)
-{
-
-    global $root_path;
-
-    if (! $filename)
-        return;
-
-    $HTTP_USER_AGENT = $_SERVER['HTTP_USER_AGENT'];
-
-    $isIE = 0;
-
-    if (strstr( $HTTP_USER_AGENT, 'compatible; MSIE ' ) !== false && strstr( $HTTP_USER_AGENT, 'Opera' ) === false) {
-        $isIE = 1;
-    }
-
-    if (strstr( $HTTP_USER_AGENT, 'compatible; MSIE 6' ) !== false && strstr( $HTTP_USER_AGENT, 'Opera' ) === false) {
-        $isIE6 = 1;
-    }
-
-    $aux = preg_replace( '[^-a-zA-Z0-9\.]', '_', $filename );
-    $aux = explode( '_', $aux );
-    $downloadName = $aux[count( $aux ) - 1];
-
-    if ($isIE && ! isset( $isIE6 )) {
-        // http://support.microsoft.com/support/kb/articles/Q182/3/15.asp
-        // Do not have quotes around filename, but that applied to
-        // "attachment"... does it apply to inline too?
-
-
-        // This combination seems to work mostly.  IE 5.5 SP 1 has
-        // known issues (see the Microsoft Knowledge Base)
-        header( "Content-Disposition: inline; filename=$downloadName" );
-
-        // This works for most types, but doesn't work with Word files
-        header( "Content-Type: application/download; name=\"$downloadName\"" );
-
-        //header("Content-Type: $type0/$type1; name=\"$downloadName\"");
-        //header("Content-Type: application/x-msdownload; name=\"$downloadName\"");
-        //header("Content-Type: application/octet-stream; name=\"$downloadName\"");
-    } else {
-        header( "Content-Disposition: attachment; filename=\"$downloadName\"" );
-        header( "Content-Type: application/octet-stream; name=\"$downloadName\"" );
-    }
-
-    //$filename = PATH_UPLOAD . "$filename";
-    readfile( $filename );
+// Verify if file exists, if not, return 404
+if (! file_exists( $filename )) {
+    header('HTTP/1.1 404 Not Found');
+    exit();
 }
 
-//G::header2( "location: /files/" .$_SESSION['ENVIRONMENT']. "/" .$appid, $filename);
+// Get file info
+$lastModified = filemtime($filename);
+$fileSize = filesize($filename);
+$etag = md5($fileSize . $lastModified . $filename);
 
+header('Content-Type: image/gif');
+header('ETag: "' . $etag . '"');
+header('Last-Modified: ' . gmdate('D, d M Y H:i:s', $lastModified) . ' GMT');
+header('Content-Length: ' . $fileSize);
+header('Cache-Control: public, must-revalidate, max-age=300'); // 5 min cache
+
+// Validate Client eTAg
+$clientEtag = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? trim($_SERVER['HTTP_IF_NONE_MATCH']) : '';
+if ($clientEtag === '"' . $etag . '"') {
+    header('HTTP/1.1 304 Not Modified');
+    exit;
+}
+
+// Show image
+readfile($filename);
+exit();