Gwyn's Imagemap Selector Security Vulnerabilities

Design/Logic Flaw

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all...

CVE-2023-3426

The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all...

Attackers might be able to avoid calling reference modules when creating publications

Lines of code Vulnerability details Bug Description When comment(), mirror or quote() is called on a publication with a reference module, the reference module will be called. For example, when a user mirrors another publication with a reference module, the processMirror() function of that...

Malicious user can create an harmful proposal and execute it by setting a very low quorum .

Lines of code Vulnerability details Impact Malicious user can create an harmful proposal and execute it by setting a very low quorum . Which can lead to very bad consequences . Proof of Concept When creating a proposal, quorum is calculation logic looks like this : // get the quorum...

_getSelector does not return the right selector

Lines of code Vulnerability details Impact _getSelector(...) function in the CoreVoting.sol will NEVER return the correct function selector of a calldata string. This can lead to malfunction in the system when creating a proposal. Proof of Concept The function selector is suppose to be the hash...

XWiki 3.0-rc-1 < 13.10.11, 14.0-rc-1 < 14.4.8, 14.5 < 14.10.2 Code Injection Vulnerability (GHSA-3hjg-cghv-22ww)

Xwiki is prone to a code injection...

Multisig's functionality is impaired when Signers#threshold is 1

Lines of code https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/auth/MultisigBase.sol#L44-L77 https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/auth/MultisigBase.sol#L159-L161...

Allowed calls in LSP6KeyManager doesn't allow calls with empty calldata

Lines of code Vulnerability details Bug Description Whenever a controller attempts to call a LSP0 account's execute() function without the relevant SUPER permissions, LSP6ExecuteModule will check that the call is one of the whitelisted allowed calls. If the controller is trying to perform a call...

Incorrect Interface ID for LSP0

Lines of code Vulnerability details Impact The interface ID stated for LSP0 in LSP0Constants.sol and LIP-0 is 0x3e89ad98, which will affect related logics. Proof of Concept According to LIP-0, this ID is derived from the XOR of the following: selector of batchCalls() IDs of the following...

A Storage Write Removal Bug in contracts

Lines of code Vulnerability details Summary In _fallbackLSP17Extendable(), Calling functions that conditionally terminate the external EVM call using the assembly statements return(...) may result in incorrect removals of prior storage writes. Impact In LSP17Extendable.sol,...

Using supportsERC165InterfaceUnchecked() might break LSP functionality for certain contracts

Lines of code Vulnerability details Bug Description Throughout the codebase, the protocol uses the supportsERC165InterfaceUnchecked() function from Openzeppelin's ERC165Checker.sol to check for the support of ERC-165 interface IDs. However, supportsERC165InterfaceUnchecked() only checks if the...

user with ADDEXTENSIONS and CHANGEEXTENSIONS will remove extension unintentional

Lines of code Vulnerability details Summary Adding extension use 4 bytes function selector to add new extension, and if user with ADDEXTENSIONS permission also has CHANGEEXTENSIONS permission and wants to add new extension and there is an extension with that function selector, extension will be...

Debian: Security Advisory (DLA-3493-1)

The remote host is missing an update for the...

Debian DLA-3493-1 : symfony - LTS security update

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3493 advisory. Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without...

[SECURITY] [DLA 3493-1] symfony security update

Debian LTS Advisory DLA-3493-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin July 11, 2023 https://wiki.debian.org/LTS Package : symfony Version : 3.4.22+dfsg-2+deb10u2 CVE...

Function collision between extension functions and account functions

Lines of code Vulnerability details Impact Users or owner can't use extensions because of collision between extension functions and account functions Proof of Concept Whenever someone calls account it will check for functions inside it, if there isn't function it goes to fallback to check...

_payFallbackGas is not being paid in case selector is 0x07 or 0x08

Lines of code Vulnerability details Impact _payFallbackGas gas is not being paid for selectors 0x07 and 0x08 which causes a loss for protocol's execution gas budget. In case Execution budget is not enough then anyFallback will fail. Proof of Concept In _payFallbackGas() gas should always be paid...

Security Bulletin: IBM Security Directory Integrator is affected by multiple security vulnerabilities

Summary IBM Security Directory Integrator has addressed several security issues in open source packages. Please apply the fix as detailed below. Vulnerability Details ** CVEID: CVE-2018-1270 DESCRIPTION: **Pivotal Spring Framework could allow a remote attacker to execute arbitrary code on the...

[adriro-NEW-M-02]: Wallet design prevents EIP-165 extensibility

Lines of code Vulnerability details [adriro-NEW-M-02]: Wallet design prevents EIP-165 extensibility The current wallet fallback design prevents the extensibility of the EIP-165 functionality. Impact Ambire wallet extensibility is provided by a fallback mechanism. If a fallback handler is defined...

Siemens SIMOTION

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....

Unbreakable Enterprise kernel security update

[5.4.17-2136.320.7] - selftests: fib_tests: mute cleanup error message (Po-Hsu Lin) - KVM: arm64: PMU: Align chained counter implementation with architecture pseudocode (Marc Zyngier) [Orabug: 35449815] - KVM: arm64: Filter out v8.1+ events on v8.0 HW (Marc Zyngier) [Orabug: 35449815] - KVM:...

ink! vulnerable to incorrect decoding of storage value when using `DelegateCall`

Summary The return value when using delegate call mechanics, either through CallBuilder::delegate or ink_env::invoke_contract_delegate, is being decoded incorrectly. Description Consider this minimal example: ``rust // First contract, this will be performing a delegate call to theCallee`....

ink! vulnerable to incorrect decoding of storage value when using `DelegateCall`

Summary The return value when using delegate call mechanics, either through CallBuilder::delegate or ink_env::invoke_contract_delegate, is being decoded incorrectly. Description Consider this minimal example: ``rust // First contract, this will be performing a delegate call to theCallee`....

createAction() ,castApproval(), castDisapproval() functions vulnerable replay attacks

Lines of code https://github.com/code-423n4/2023-06-llama/blob/9d422c264b57657098c2784aa951852cad32e01c/src/LlamaCore.sol#L259-L268 https://github.com/code-423n4/2023-06-llama/blob/9d422c264b57657098c2784aa951852cad32e01c/src/LlamaCore.sol#L516-L562...

Unbreakable Enterprise kernel security update

[5.15.0-102.110.5] - RISC-V: Fix up a cherry-pick warning in setup_vm_final() (Alexandre Ghiti) - Revert 'Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work' (Liu Jian) - riscv: mm: remove redundant parameter of create_fdt_early_page_table (Song Shuai) - kernfs:...

Unbreakable Enterprise kernel-container security update

[5.4.17-2136.320.7.el7] - selftests: fib_tests: mute cleanup error message (Po-Hsu Lin) - KVM: arm64: PMU: Align chained counter implementation with architecture pseudocode (Marc Zyngier) [Orabug: 35449815] - KVM: arm64: Filter out v8.1+ events on v8.0 HW (Marc Zyngier) [Orabug: 35449815] -...

Unbreakable Enterprise kernel-container security update

[5.4.17-2136.320.7.el8] - selftests: fib_tests: mute cleanup error message (Po-Hsu Lin) - KVM: arm64: PMU: Align chained counter implementation with architecture pseudocode (Marc Zyngier) [Orabug: 35449815] - KVM: arm64: Filter out v8.1+ events on v8.0 HW (Marc Zyngier) [Orabug: 35449815] -...

Lack of reentrancy protection in L1ERC721Bridge.sol

Lines of code Vulnerability details Summary Calling IERC721.transferFrom() in the L1ERC721Bridge._initiateBridgeERC721() after writing the deposit makes a reentrancy attack possible if there is a callback before transfer in the _localToken contract (we will name such a contract ERC721Callback)....

Underpaying Optimism l2gas(_minGasLimit) may lead to loss of funds

Lines of code Vulnerability details Impact The contract L1StandardBridge.sol is susceptible to a vulnerability where underpaying the l2Gas(here in all contract, it used as "_minGasLimit") value provided by users can result in a potential loss of funds. This vulnerability exists in the...

Security Bulletin: IBM Security Directory Suite is vulnerable to multiple issues

Summary Multiple Security Vulnerabilities in the IBM Security Directory Suite have been addressed by code updates and updating the relevant components. Vulnerability Details ** CVEID: CVE-2022-22475 DESCRIPTION: **IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5.....

_initiateBridgeERC20() does not check if _remoteToken is valid. When the message send to L2, it will cause user lossing funds in L1

Lines of code Vulnerability details Impact _initiateBridgeERC20() does not check if _remoteToken is valid. When the message send to L2, it will cause user lossing funds in L1 Proof of Concept As we can see, the_initiateBridgeERC20 just check _isOptimismMintableERC20(_localToken),if valid ,it will.....

If no funds are deposited at the beginning, L1-L2 cannot be transferred out

Lines of code Vulnerability details Impact If user transfer tokenA-tokenB from L1 to L2, and the L2 deposits[tokenB][tokenA] is zero at the beginning.It will cause user lossing his funds. Proof of Concept First, user transfer TokenA, and it will send Message to L2 and L2 will call...

Liferay Portal 7.4.3.50 < 7.4.3.51 XSS

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's Title field....

Fallback handlers can trick users into calling functions of the AmbireAccount contract

Lines of code Vulnerability details Fallback handlers can trick users into calling functions of the AmbireAccount contract Selector clashing can be used to trick users into calling base functions of the wallet. Impact Fallback handlers provide extensibility to the Ambire wallet. The main idea here....

Cross-site scripting in Liferay Portal

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's Title...

Cross-site scripting in Liferay Portal

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's Title...

CVE-2023-33942

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's Title...

CVE-2023-33942

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's Title...

CVE-2023-33942

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's Title...

Cross site scripting

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's Title...

CVE-2023-33942

Cross-site scripting (XSS) vulnerability in the Web Content Display widget's article selector in Liferay Liferay Portal 7.4.3.50, and Liferay DXP 7.4 update 50 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a web content article's Title...

Loss Of Funds

vyper is vulnerable to Loss of Funds. The vulnerability is due to the call value check being called inside the selector section, which makes it possible to send funds to a non-payable default function by using less then 4 bytes of call data. This can result in the loss of...

python27:2.7 security update

babel [2.5.1-10] - Fix CVE-2021-20095 Resolves: rhbz#1955615 [2.5.1-9] - Bumping due to problems with modular RPM upgrade path - Resolves: rhbz#1695587 [2.5.1-8] - Fix unversioned requires/buildrequires - Resolves: rhbz#1628242 [2.5.1-7] - Remove unversioned binaries - Resolves: rhbz#1613343...

Oracle Linux 8 : libreswan (ELSA-2023-3095)

The remote Oracle Linux 8 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2023-3095 advisory. Libreswan 4.9 allows remote attackers to cause a denial of service (assert failure and daemon restart) via crafted TS payload with an incorrect selector...

Image Builder security, bug fix, and enhancement update

cockpit-composer [45-1.0.1] - Make per page documentation links point to Oracle Linux [Orabug: 32013095] [45-1] - New upstream release [44-1] - New upstream release [43-1] - New upstream release [42-1] - New upstream release [40-1] - New upstream release [39-1] - New upstream release [38-1] - New.....

libreswan security and bug fix update

[4.9-2.0.1.2] - Add libreswan-oracle.patch to detect Oracle Linux distro [4.9-2.2] - Update libreswan-4.9-2176248-authby-rsasig.patch [4.9-2.1] - Resolves: rhbz#2187647 authby=rsasig fails in FIPS policy [4.9-2] - Fix CVE-2023-23009: remote DoS via crafted TS payload with an incorrect selector...

Vyper's nonpayable default functions are sometimes payable

Impact in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable. this applies to...

Vyper's nonpayable default functions are sometimes payable

Impact in contracts with at least one regular nonpayable function, due to the callvalue check being inside of the selector section, it is possible to send funds to the default function by using less than 4 bytes of calldata, even if the default function is marked nonpayable. this applies to...

AlmaLinux 8 : libreswan (ALSA-2023:3095)

The remote AlmaLinux 8 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2023:3095 advisory. Libreswan 4.9 allows remote attackers to cause a denial of service (assert failure and daemon restart) via crafted TS payload with an incorrect selector...

Malicious code in docs-component-folder-selector (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (029903e7351485fc54de0e50d6f2f3c9c822895bd8d97930476b5a69f23dd6f9) The OpenSSF Package Analysis project identified 'docs-component-folder-selector' @ 1.0.6 (npm) as malicious. It is considered malicious because: -.....