1288H V5; 2288H V5 Security Vulnerabilities
balanceOf method can be manipulate to liquidated vault
Lines of code Vulnerability details Impact Deriving price from balanceOf can be manipulated to liquidate vault see example https://solodit.xyz/issues/deriving-price-with-balanceof-is-dangerous-spearbit-connext-pdf Attacker can provide ERC20 token to the vaultAsset and mint vault shares. The...
6.9AI Score
Permit does not revert for tokens that do not implement it.
Lines of code https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L468 Vulnerability details Impact Callers should not rely on permit to revert for arbitrary tokens especially if permit is used as a security check. Tokens which do not...
7AI Score
Vault.sponsor may take away the prize chance from the receiver.
Lines of code https://github.com/generationsoftware/pt-v5-twab-controller/blob/1cdf78e87a3d9127f85a3755024f143664643c5e/src/TwabController.sol#L500-L502 https://github.com/generationsoftware/pt-v5-twab-controller/blob/1cdf78e87a3d9127f85a3755024f143664643c5e/src/TwabController.sol#L656-L661...
6.8AI Score
An identical vault can be deployed with existing values, the logic controlling this is missing
Lines of code Vulnerability details VaultFactory. The deployVault() function deploys a new vault with 10 arguments, but does not check if there is a vault already deployed with the same arguments This seems to have been preferred as a design, but malicious people with copy safes can direct users...
6.9AI Score
deposit function does not check for the maxMint amount.
Lines of code Vulnerability details Impact It is theoretically possible for the deposit amount to mint shares more than the maxMint amount Proof of Concept The deposit function has a check for maxDeposit and reverts if the deposit value is more than max(uint96). But, it does not check the shares...
6.7AI Score
mintYieldFee function does not check for the maxMint amount.
Lines of code Vulnerability details Impact Theoretically, it is possible to mint more than the maxMint amount using the mintYieldFee function in the Vault contract. Proof of Concept The functions in Vault contract like mint, mintWithPermit call the _beforeMint function which checks whether _shares....
6.7AI Score
Missing access control in mintYieldFee allowing everybody to mint the available YieldFee to himself
Lines of code Vulnerability details Impact Everybody can call the mintYieldFee function in the Vault, when there is _yieldFeeTotalSupply available and mint shares to himself for free, which latter results in stealing funds form the Vault. (if this is a desired behavior, which it shouldn't based on....
6.8AI Score
isTimeSafe and isTimeRangeSafe not implemented in the functions getBalanceAt and getTwabBetween
Lines of code https://github.com/GenerationSoftware/pt-v5-twab-controller/blob/0145eeac23301ee5338c659422dd6d69234f5d50/src/libraries/TwabLib.sol#L254-L276 Vulnerability details Impact The Natspec of both getBalanceAt and getTwabBetween functions indicates that they should implement the functions.....
7.1AI Score
The liquidate function lets the caller mint amountOut tokens without providing any
Lines of code Vulnerability details Impact Ther are a lot of check to ensure the parameters of the liquidate function are correct. However, it does not checki for _amountIn to NOT be 0, thus it lets the caller proceed and mint _amountOut tokens to _account without providing any Proof of Concept...
6.7AI Score
Users might lose their balances when they set delegates
Lines of code Vulnerability details Impact Undelegated users will lose their balances if they set delegate to themselves. Proof of Concept A User can set a delegate and the delegated balance of the user will be accounted on the delegate's delegated balance in the TWAB controller. The internal...
6.8AI Score
No access control on mintYieldFee
Lines of code Vulnerability details Impact Lack of access-control allows anyone to mint the yield fee to himself. Proof of Concept Vault.mintYieldFee does not restrict the _recipient yield fees: function mintYieldFee(uint256 _shares, address _recipient) external { ...
6.9AI Score
Unsecure and predictable random number generation in closeDraw.winningRandomNumber_()
Lines of code Vulnerability details Impact Unsecure and predictable random number generation in closeDraw.winningRandomNumber_() can lead to external influence by malicious attackers. Leading to undermining of the fairness and security and unpredictability of the draw function. Both the timestamp.....
6.8AI Score
The exchange rate is decreasing in Vault
Lines of code Vulnerability details Impact The exchange rate of the vaults will be decreasing and this will block core functionalities. Proof of Concept The exchange rate of the Vault is calculated as follows: min(_withdrawableAssets, _totalSupplyToAssets) * _assetUnit / _totalSupplyAmount =...
6.9AI Score
Malicious claimer could arbitrage the prize-claiming functionality
Lines of code Vulnerability details Impact The _feePerClaim is a user controlled parameter which tops at tierLiquidity.prizeSize for a given _tier (see here for that). That means the CLAIMER can set arbitrary fees for a given call to claimPrize to increase maliciously the collected fees with //...
6.8AI Score
Vault funds can be stolen by a malicious Yield Vault.
Lines of code Vulnerability details Impact When a vault is initialized, it sets Max Token Approval for the Yield Vault which allows the Yield Vault to ALWAYS have access to the funds in the vault. Since vaults can be created by anyone as long as they provide an ERC-4626 compliant yield source, an.....
6.7AI Score
Lines of code Vulnerability details Impact An attacker can call the contributePrizeTokens function with a lower amount of tokens than claimed, misleading the contract to update the accumulator and emit the event based on the incorrect amount. As a result, the prize pool's internal state will be...
6.8AI Score
The output amount validation in Vault.liquidate() is not correct.
Lines of code Vulnerability details Impact The output amount validation is not correct in Vault.liquidate(), so the method might accept invalid output amount and refuse valid output amount. Proof of Concept In Vault.liquidate(), there is a validation about the output share amount should be less...
6.7AI Score
Attacker can force users to delegate to SPONSORSHIP_ADDRESS
Lines of code https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L494-L504 https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L982-L994 Vulnerability details Impact An attacker can....
6.6AI Score
Lines of code Vulnerability details Impact If the shares are not properly validated and do not add up to 100, there will be an imbalance in the distribution of funds resulting in loss of funds or locked funds that cannot be accessed or distributed correctly. Proof of Concept The constructor of the....
6.8AI Score
withdrawReserve will revert when withdrawing tokens with on chain tx fees
Lines of code Vulnerability details Impact Function will revert when _reserve is equal to _amount, when the token being transferred is a fee on transfer token. Proof of Concept function withdrawReserve( address _to, uint104 _amount ) external onlyDrawManager { function withdrawReserve( address...
6.8AI Score
Missing External Transfer Function In Vault
Lines of code Vulnerability details Impact Balances of TwabController for a vault can not be transferred. Proof of Concept The Vault implements an internal _transfer function meant to be used to transfer balances within the TwabController: function _transfer(address _from, address _to, uint256...
6.8AI Score
Lines of code Vulnerability details M-01 TwabLib::getTwabBetween can return innacurate balances if _startTime and _endTime aren't safely bounded Vulnerability details Here's the documentation of the get TwabLib::getTwabBetween function : File: twab-controller\src\libraries\TwabLib.sol 278: /**...
6.8AI Score
No access control for mintYieldFee()
Lines of code Vulnerability details Impact Anyone can mint the yield fee using mintYieldFee(). Proof of Concept mintYieldFee() mints the shares for yield fee. function mintYieldFee(uint256 _shares, address _recipient) external { _requireVaultCollateralized(); if (_shares >...
6.9AI Score
6.6AI Score
0.005EPSS
7.1AI Score
7.1AI Score
0.005EPSS
7AI Score
6.8AI Score
virt:ol and virt-devel:rhel security and bug fix update
hivex libguestfs [1.44.0-9.0.1] - Replace upstream references from description tag - Config supermin to use host yum.conf in ol8 [Orabug: 29319324] - Set DISTRO_ORACLE_LINUX correspeonding to ol [1:1.44.0-9] - Fix CVE-2022-2211 Denial of Service in --key parameter resolves: rhbz#2101280...
5.5CVSS
7.8AI Score
0.0004EPSS
Exploit for Use After Free in Linux Linux Kernel
fork from https://github.com/veritas501/hbp_attack_demo...
7.1AI Score
Directory traversal vulnerability in Snow Monkey Forms v5.1.1 and earlier allows a remote unauthenticated attacker to delete arbitrary files on the...
9.1CVSS
9.1AI Score
0.002EPSS
Directory traversal vulnerability in Snow Monkey Forms v5.1.1 and earlier allows a remote unauthenticated attacker to delete arbitrary files on the...
9.1CVSS
9.2AI Score
0.002EPSS
On June 13, 2023, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces. The directive requires federal civilian executive-branch agencies to adhere to two primary actions: ....
7AI Score
TP-Link TL-WR940N V2/V3/V4, TL-WR941ND V5/V6, TL-WR743ND V1 and TL-WR841N V8 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlAccessTargetsRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.7CVSS
7.7AI Score
0.0004EPSS
TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR740N V1/V2, TL-WR940N V2/V3, and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlTimeSchedRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.5CVSS
7.6AI Score
0.0005EPSS
An issue in the /userRpm/LocalManageControlRpm component of TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8/V10, and TL-WR941ND V5 allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.7CVSS
7.3AI Score
0.0004EPSS
TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR940N V2/V3 and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/QoSRuleListRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.5CVSS
7.6AI Score
0.0005EPSS
TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8, TL-WR941ND V5, and TL-WR740N V1/V2 were discovered to contain a buffer read out-of-bounds via the component /userRpm/VirtualServerRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.7CVSS
7.5AI Score
0.0004EPSS
Cross site request forgery (csrf)
An issue in the /userRpm/LocalManageControlRpm component of TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8/V10, and TL-WR941ND V5 allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.7CVSS
7.2AI Score
0.0004EPSS
TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8, TL-WR941ND V5, and TL-WR740N V1/V2 were discovered to contain a buffer read out-of-bounds via the component /userRpm/VirtualServerRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.7CVSS
7.4AI Score
0.0004EPSS
TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR940N V2/V3 and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/QoSRuleListRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.5CVSS
7.6AI Score
0.0005EPSS
TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR740N V1/V2, TL-WR940N V2/V3, and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlTimeSchedRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.5CVSS
7.6AI Score
0.0005EPSS
TP-Link TL-WR940N V2/V3/V4, TL-WR941ND V5/V6, TL-WR743ND V1 and TL-WR841N V8 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlAccessTargetsRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.7CVSS
7.6AI Score
0.0004EPSS
TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR740N V1/V2, TL-WR940N V2/V3, and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlTimeSchedRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.6AI Score
0.0005EPSS
TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8, TL-WR941ND V5, and TL-WR740N V1/V2 were discovered to contain a buffer read out-of-bounds via the component /userRpm/VirtualServerRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.3AI Score
0.0004EPSS
An issue in the /userRpm/LocalManageControlRpm component of TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8/V10, and TL-WR941ND V5 allows attackers to cause a Denial of Service (DoS) via a crafted GET...
6.7AI Score
0.0004EPSS
TP-Link TL-WR940N V2/V3/V4, TL-WR941ND V5/V6, TL-WR743ND V1 and TL-WR841N V8 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlAccessTargetsRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.6AI Score
0.0004EPSS
TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR940N V2/V3 and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/QoSRuleListRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET...
7.6AI Score
0.0005EPSS
Summary This Security Bulletin addresses security vulnerabilities that have been remediated (CVE-2023-27871, CVE-2023-27873) and mitigated (CVE-2023-27874) in IBM Aspera Faspex 4.4.2 PL3. Vulnerability Details ** CVEID: CVE-2023-27874 DESCRIPTION: **IBM Aspera is vulnerable to an XML external...
8.2AI Score
0.001EPSS
7.3AI Score
0.008EPSS