Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through the updateUserPreference process. An attacker can alter restricted financial attributes by sending crafted API requests to modify their own hourlyrat...

CVE-2024-28949

Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service...

CVE-2023-40176 SXSS in the user profile via the timezone displayer

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can exploit a stored XSS through their user profile by setting the payload as the value of the time zone user preference. Even though the time zone is selected from a drop...

GHSA-H8CM-3V5F-RGP6 XWiki Platform Stored Cross-site Scripting in the user profile via the timezone displayer

Impact Any registered user can exploit a stored XSS through their user profile by setting the payload as the value of the time zone user preference. Even though the time zone is selected from a drop down no free text value it can still be set from JavaScript using the browser developer tools or b...

CVE-2023-29722

The Glitter Unicorn Wallpaper app for Android 7.0 thru 8.0 allows unauthorized apps to actively request permission to modify data in the database that records information about a user's personal preferences and will be loaded into memory to be read and used when the app is opened. An attacker cou...

Byobu user preference to prevent private discussions being started are not respected

Impact Users electing to prevent others starting private discussions with themselves. Please note that admins and others with appropriate permissions can always bypass this preference, as was the case before. Patches Users of Byobu should update the extension to version 1.1.7, where this has been...

GHSA-6GJM-6WJ6-4PX5 Byobu user preference to prevent private discussions being started are not respected

Impact Users electing to prevent others starting private discussions with themselves. Please note that admins and others with appropriate permissions can always bypass this preference, as was the case before. Patches Users of Byobu should update the extension to version 1.1.7, where this has been...

Cross-site Scripting (XSS)

Apache JSPWiki is vulnerable to cross-site scripting. The vulnerability exists due to a lack of sanitization on the user preference page via the UserName variable...

Calling Foul on the Political Football That is Do Not Track

It looks like it’s time for a do-over for DNT. The oft-maligned specification has become—like many other standards efforts before it—a political football. Parties with interests on both sides of the issue have their own agendas, cannot agree on semantics and ignore, in this case, what should be t...

DEBIAN-CVE-2012-2054

Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the 1 Comment, 2 Document, 3 IssueCategory, 4 MembersController, 5 Message, 6 News, 7 TimeEntry, 8 Version, 9 Wiki, 10 UserPreference, o...

W3C Publishes Do Not Track Proposal

The W3C has proposed a standard for implementing the Do Not Track mechanism for both users and site owners, wading into what has become a contentious and fractious debate. The proposed standard, known as the Tracking Preference Expression, is designed to give users the ability to tell sites what...

CVE-2005-2750

Software Update in Mac OS X 10.4.2, when the user marks all updates to be ignored, exits without asking the user to reset the status of the updates, which could prevent important, security-relevant updates from being installed...