Lucene search
K

99 matches found

ATTACKERKB
ATTACKERKB
added 2022/06/13 1:15 p.m.8 views

CVE-2022-1605

The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...

6.5CVSS6.7AI score0.00513EPSS
Exploits2References2
NVD
NVD
added 2022/06/13 1:15 p.m.25 views

CVE-2022-1605

The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...

6.5CVSS0.00513EPSS
Exploits2References1
Prion
Prion
added 2022/06/13 1:15 p.m.17 views

Cross site request forgery (csrf)

The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...

4.3CVSS6.4AI score0.00513EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2022/05/18 12:0 a.m.20 views

Email Users <= 4.8.8 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users PoC...

6.5CVSS4.1AI score0.00513EPSS
Exploits2Affected Software1
Hacker One
Hacker One
added 2022/05/09 12:25 a.m.47 views

Phabricator: Global default settings page is accessible to non-administrators

If you go to /settings/, it correctly redirects to /settings/user/username/ and does not give you the option to change global default settings. However if you go straight to /settings/builtin/global/, any user can edit the global default settings. According to https://secure.phabricator.com/D1604...

1AI score
Exploits0
Veracode
Veracode
added 2022/01/19 6:49 a.m.16 views

Cross-Site Request Forgery (CSRF)

remdex/livehelperchat is vulnerable to cross-site request forgery. The library does not properly validate the CSRF tokens in CannedMessage requests, allowing an attacker to create arbitrary canned messages, modify notification settings and group chat options...

4.3CVSS4AI score0.00439EPSS
Exploits1References3Affected Software1
Huntr
Huntr
added 2022/01/14 12:7 p.m.17 views

Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat

Description A CSRF issue is found in the SettingsLive help configurationCanned Messages. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request. Also while generating statistics, the action is done through GET method with no CSRF token. Two...

4.3CVSS4.7AI score0.00439EPSS
Exploits1
OSV
OSV
added 2021/07/12 8:15 p.m.4 views

CVE-2021-24419

The WP YouTube Lyte WordPress plugin before 1.7.16 did not sanitise or escape its lyteytapikey and lytenotification settings before outputting them back in the page, allowing high privilege users to set XSS payload on them and leading to stored Cross-Site Scripting issues...

4.8CVSS5.8AI score0.00626EPSS
Exploits2References2
OSV
OSV
added 2021/06/11 3:15 p.m.4 views

CVE-2021-25409

Improper access in Notification setting prior to SMR JUN-2021 Release 1 allows physically proximate attackers to set arbitrary notification via physically configuring device...

2.4CVSS5.9AI score0.00104EPSS
Exploits0References1
CNVD
CNVD
added 2020/02/11 12:0 a.m.4 views

Rumpus FTP Web File Manager Cross-Site Request Forgery Vulnerability (CNVD-2020-04695)

Rumpus FTP Web File Manager is a file transfer server. A cross-site request forgery vulnerability exists in the Event Notification Settings feature of Web File Manager in Rumpus FTP version 8.2.9.1. The vulnerability stems from the WEB application not adequately verifying that requests are coming...

4.3CVSS6.9AI score0.00379EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2020/01/06 12:0 a.m.50 views

FreeBSD : Gitlab -- Multiple Vulnerabilities (01bde18a-2e09-11ea-a935-001b217b3468)

SO-AND-SO reports : Group Maintainers Can Update/Delete Group Runners Using API GraphQL Queries Can Hang the Application Unauthorized Users Have Access to Milestones of Releases Private Group Name Revealed Through Protected Tags API Users Can Publish Reviews on Locked Merge Requests DoS in the...

5.3CVSS4.9AI score0.01107EPSS
Exploits0References10
FreeBSD
FreeBSD
added 2020/01/02 12:0 a.m.34 views

Gitlab -- Multiple Vulnerabilities

The GitLab Team reports: Group Maintainers Can Update/Delete Group Runners Using API GraphQL Queries Can Hang the Application Unauthorized Users Have Access to Milestones of Releases Private Group Name Revealed Through Protected Tags API Users Can Publish Reviews on Locked Merge Requests DoS in t...

5.3CVSS4.9AI score0.01107EPSS
Exploits0References1
OSV
OSV
added 2019/11/01 12:15 p.m.5 views

CVE-2019-16909

An issue was discovered in the Infosysta "In-App & Desktop Notifications" app before 1.6.14J8 for Jira. It is possible to obtain a list of all Jira projects with authentication as a Jira user, but without authorization for specific projects via the plugins/servlet/nfj/NotificationSettings URI...

4.3CVSS5.8AI score0.01108EPSS
Exploits2References2
CVE
CVE
added 2019/11/01 11:36 a.m.70 views

CVE-2019-16909

CVE-2019-16909 affects Infosysta “In-App & Desktop Notifications” for Jira prior to 1.6.14_J8. An authenticated Jira user without project authorization can enumerate all Jira projects via the endpoint plugins/servlet/nfj/NotificationSettings, exposing information about projects. Root cause: insuf...

4.3CVSS4.7AI score0.01108EPSS
Exploits2References2Affected Software1
Hacker One
Hacker One
added 2019/08/08 3:48 p.m.22 views

HackerOne: Disclosure of Program email Title Report when being removed as contributor. Bypass for Report #645264

Summary: It is somehow related to this report 645264. But I found an alternative way to reproduce the issue even it is considered as resolved. Steps To Reproduce 1. As a Program admin, navigate to Program Settings 2. Click Program 3. Click Email Notifications 4. Make sure it is set to No Content ...

6.5AI score
Exploits0
Prion
Prion
added 2018/04/16 2:29 p.m.18 views

Design/Logic Flaw

Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to bypass access restriction to view or alter an access privilege of a folder and/or notification settings via unspecified vectors...

4CVSS5AI score0.00908EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2018/04/16 2:29 p.m.21 views

CVE-2018-0531

Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to bypass access restriction to view or alter an access privilege of a folder and/or notification settings via unspecified vectors...

4.3CVSS4.3AI score0.00908EPSS
Exploits0References2
OSV
OSV
added 2018/04/16 2:29 p.m.3 views

CVE-2018-0531

Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to bypass access restriction to view or alter an access privilege of a folder and/or notification settings via unspecified vectors...

4.3CVSS5.8AI score0.00908EPSS
Exploits0References2
Hacker One
Hacker One
added 2014/03/03 8:44 p.m.19 views

OkCupid: Users can easily be tricked into changing/disabling privacy and notification settings

The page at www.okcupid.com/settingsis not protected against Cross-Site Request Forgery CSRF attacks. This means that an attacker can trick users into clicking a link, which will immediately change the settings of a user, without the user even being aware of the changes. The attack works like thi...

6.7AI score
Exploits0
Rows per page
Query Builder