225 matches found
Understanding Password Preferences, Memorability, and Security through a Human-Centered Lens
Passwords remain the primary authentication method, yet user-created passwords are often the weakest due to the security-usability trade-off. Although AI-based password generators are emerging, little is known about their effectiveness and user perceptions. This eye-tracking study examined how...
CVE-2026-40486
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint PATCH /api/users/id/preferences applies submitted preference values without checking the isEnabled flag on preference objects. Although the hourlyrate and internalrate fields are...
CVE-2026-40486 Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint PATCH /api/users/id/preferences applies submitted preference values without checking the isEnabled flag on preference objects. Although the hourlyrate and internalrate fields are...
CVE-2026-40486 Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint PATCH /api/users/id/preferences applies submitted preference values without checking the isEnabled flag on preference objects. Although the hourlyrate and internalrate fields are...
CVE-2026-40486
Kimai CVE-2026-40486 affects the User Preferences API. In versions
CVE-2026-40486
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint PATCH /api/users/id/preferences applies submitted preference values without checking the isEnabled flag on preference objects. Although the hourlyrate and internalrate fields are...
kimai 安全漏洞
Kimai is a web-based, multi-user time tracking application developed by Kimai’s individual developer. Versions of Kimai 2.52.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the lack of checks on the isEnabled flag in the user preference settings API endpoint,...
GHSA-QH43-XRJM-4GGP Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
Summary A Mass Assignment / Broken Object Property Level Authorization BOPA vulnerability in the User Preferences API allows any authenticated user even those with the lowest privileges to arbitrarily modify restricted financial attributes on their profile, specifically their hourlyrate and...
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
Summary A Mass Assignment / Broken Object Property Level Authorization BOPA vulnerability in the User Preferences API allows any authenticated user even those with the lowest privileges to arbitrarily modify restricted financial attributes on their profile, specifically their hourlyrate and...
PT-2026-33218
Summary A Mass Assignment / Broken Object Property Level Authorization BOPA vulnerability in the User Preferences API allows any authenticated user even those with the lowest privileges to arbitrarily modify restricted financial attributes on their profile, specifically their hourly rate and...
CVE-2026-20692
A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. "Hide IP Address" and "Block All Remote Content" may not apply to all mail content...
CVE-2026-20692
A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. "Hide IP Address" and "Block All Remote Content" may not apply to all mail content...
CVE-2026-20692
Apple resolves a privacy issue by improving handling of user preferences; fixed in iOS/iPadOS 26.4 and macOS Sequoia 15.7.5, Sonoma 14.8.5, Tahoe 26.4. The advisory notes that "Hide IP Address" and "Block All Remote Content" may not apply to all mail content. Affected products include iOS 26.4/iP...
CVE-2026-20692
A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. "Hide IP Address" and "Block All Remote Content" may not apply to all mail content...
PT-2026-27545
Name of the Vulnerable Software and Affected Versions iOS versions prior to 26.4 iPadOS versions prior to 26.4 macOS Sequoia versions prior to 15.7.5 macOS Sonoma versions prior to 14.8.5 macOS Tahoe versions prior to 26.4 Description A privacy issue was identified relating to the handling of use...
CVE-2026-29189 SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL Access Control List checks on several endpoints, allowing authenticated users to access and manipulate data they...
CVE-2026-29189 SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL Access Control List checks on several endpoints, allowing authenticated users to access and manipulate data they...
CVE-2026-29189 SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL Access Control List checks on several endpoints, allowing authenticated users to access and manipulate data they...
Payload 安全漏洞
Payload is a headless CMS and application framework built using TypeScript, Node.js, React, and MongoDB. Versions of Payload prior to 3.74.0 have a security vulnerability. This vulnerability stems from an insecure direct object reference within the payload-preferences collection. In environments...
📄 RosarioSIS 6.7.2 Cross Site Scripting
RosarioSIS version 6.7.2 suffers from multiple cross site scripting vulnerabilities. Exploit Title: RosarioSIS 6.7.2 - Cross-Site Scripting XSS Date: 2025-11-25 Exploit Author: CodeSecLab Vendor Homepage: https://gitlab.com/francoisjacquet/rosariosis Software Link:...