UserPreferencesResource accepts form encoded data, is vulnerable to XSRF attacks

2014-07-15T08:47:51
ID ATLASSIAN:CONF-34276
Type atlassian
Reporter richatkins
Modified 2017-02-17T04:30:19

Description

UserPreferencesResource exposes all data stored in a UserPreferences object, and allows updating it via a POST. This vulnerability needs to be closed before the next deployment.