99 matches found
CVE-2022-1605
The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...
CVE-2022-1605
The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...
Cross site request forgery (csrf)
The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...
Email Users <= 4.8.8 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users PoC...
Phabricator: Global default settings page is accessible to non-administrators
If you go to /settings/, it correctly redirects to /settings/user/username/ and does not give you the option to change global default settings. However if you go straight to /settings/builtin/global/, any user can edit the global default settings. According to https://secure.phabricator.com/D1604...
Cross-Site Request Forgery (CSRF)
remdex/livehelperchat is vulnerable to cross-site request forgery. The library does not properly validate the CSRF tokens in CannedMessage requests, allowing an attacker to create arbitrary canned messages, modify notification settings and group chat options...
Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat
Description A CSRF issue is found in the SettingsLive help configurationCanned Messages. It was found that no CSRF token validation is getting done as no CSRF token is getting passed with the request. Also while generating statistics, the action is done through GET method with no CSRF token. Two...
CVE-2021-24419
The WP YouTube Lyte WordPress plugin before 1.7.16 did not sanitise or escape its lyteytapikey and lytenotification settings before outputting them back in the page, allowing high privilege users to set XSS payload on them and leading to stored Cross-Site Scripting issues...
CVE-2021-25409
Improper access in Notification setting prior to SMR JUN-2021 Release 1 allows physically proximate attackers to set arbitrary notification via physically configuring device...
Rumpus FTP Web File Manager Cross-Site Request Forgery Vulnerability (CNVD-2020-04695)
Rumpus FTP Web File Manager is a file transfer server. A cross-site request forgery vulnerability exists in the Event Notification Settings feature of Web File Manager in Rumpus FTP version 8.2.9.1. The vulnerability stems from the WEB application not adequately verifying that requests are coming...
FreeBSD : Gitlab -- Multiple Vulnerabilities (01bde18a-2e09-11ea-a935-001b217b3468)
SO-AND-SO reports : Group Maintainers Can Update/Delete Group Runners Using API GraphQL Queries Can Hang the Application Unauthorized Users Have Access to Milestones of Releases Private Group Name Revealed Through Protected Tags API Users Can Publish Reviews on Locked Merge Requests DoS in the...
Gitlab -- Multiple Vulnerabilities
The GitLab Team reports: Group Maintainers Can Update/Delete Group Runners Using API GraphQL Queries Can Hang the Application Unauthorized Users Have Access to Milestones of Releases Private Group Name Revealed Through Protected Tags API Users Can Publish Reviews on Locked Merge Requests DoS in t...
CVE-2019-16909
An issue was discovered in the Infosysta "In-App & Desktop Notifications" app before 1.6.14J8 for Jira. It is possible to obtain a list of all Jira projects with authentication as a Jira user, but without authorization for specific projects via the plugins/servlet/nfj/NotificationSettings URI...
CVE-2019-16909
CVE-2019-16909 affects Infosysta “In-App & Desktop Notifications” for Jira prior to 1.6.14_J8. An authenticated Jira user without project authorization can enumerate all Jira projects via the endpoint plugins/servlet/nfj/NotificationSettings, exposing information about projects. Root cause: insuf...
HackerOne: Disclosure of Program email Title Report when being removed as contributor. Bypass for Report #645264
Summary: It is somehow related to this report 645264. But I found an alternative way to reproduce the issue even it is considered as resolved. Steps To Reproduce 1. As a Program admin, navigate to Program Settings 2. Click Program 3. Click Email Notifications 4. Make sure it is set to No Content ...
Design/Logic Flaw
Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to bypass access restriction to view or alter an access privilege of a folder and/or notification settings via unspecified vectors...
CVE-2018-0531
Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to bypass access restriction to view or alter an access privilege of a folder and/or notification settings via unspecified vectors...
CVE-2018-0531
Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to bypass access restriction to view or alter an access privilege of a folder and/or notification settings via unspecified vectors...
OkCupid: Users can easily be tricked into changing/disabling privacy and notification settings
The page at www.okcupid.com/settingsis not protected against Cross-Site Request Forgery CSRF attacks. This means that an attacker can trick users into clicking a link, which will immediately change the settings of a user, without the user even being aware of the changes. The attack works like thi...