Malicious code in fc-account-selector (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (e2a2b9137afe6979e5b25e3e2aba4da1a9152feee7e21f1fc61c909273642d2c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7.2AI Score
Lines of code https://github.com/code-423n4/2023-01-canto-identity/tree/main/src/CidNFT.sol#L193 https://github.com/code-423n4/2023-01-canto-identity/tree/main/src/SubprotocolRegistry.sol#L87 Vulnerability details The following contract use solmate's SafeTransferLib :...
6.9AI Score
DOS mint and add by frontrunning
Lines of code Vulnerability details Impact CidNFT.mint(bytes[]) allow user to mint and add subprotocol NFTs directly after minting. The _addList args to the add call include the _cidNFTID param, which can change if there are other mint before the user's transaction. Proof of Concept An attacker...
6.8AI Score
Attacker can steal the NFT bought by sending it to another vault he control
Lines of code Vulnerability details Impact The mitigation of H-08 try to validate the vault returned by _market with the VaultRegistry. However, it only validated if the vault exists, but not if it is the correct vault. A similar attack described in code-423n4/2022-12-tessera-findings#47 can be...
6.7AI Score
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4246 advisory. picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299) wildfly: XML validation manipulation due to...
7.1AI Score
0.001EPSS
We appreciate the collaboration and responsible disclosure of this...
7AI Score
We appreciate the collaboration and responsible disclosure of this...
7AI Score
Unbreakable Enterprise kernel security update
[5.15.0-6.80.3.1] - Revert 'rds: ib: Enable FC by default' (Hakon Bugge) [Orabug: 34964359] [5.15.0-6.80.3] - net/mlx5: Suppress error logging on UCTX creation (Marina) [Orabug: 34888471] - rds: ib: Fix leaked MRs during kexec (Hakon Bugge) [Orabug: 34892082] - uek-rpm: Add ptp_kvm.ko to core...
8.8CVSS
8.6AI Score
0.001EPSS
Unbreakable Enterprise kernel-container security update
[5.15.0-6.80.3.1] - Revert 'rds: ib: Enable FC by default' (Hakon Bugge) [Orabug: 34964359] [5.15.0-6.80.3] - net/mlx5: Suppress error logging on UCTX creation (Marina) [Orabug: 34888471] - rds: ib: Fix leaked MRs during kexec (Hakon Bugge) [Orabug: 34892082] - uek-rpm: Add ptp_kvm.ko to core...
8.8CVSS
8.6AI Score
0.001EPSS
Regular Expression Denial Of Service (ReDoS)
mootools-core is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability exists via the Slick.parse function in Slick.Parser.js, which does not properly handle user-injected string into a CSS selector at runtime, which allows remote attackers to cause denial of service...
7.5CVSS
7AI Score
0.001EPSS
MooTools Regular Expression Denial of Service
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite...
7.5CVSS
6.9AI Score
0.001EPSS
MooTools Regular Expression Denial of Service
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite...
7.5CVSS
6.5AI Score
0.001EPSS
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite...
7.5CVSS
7.2AI Score
0.001EPSS
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite...
7.5CVSS
7.3AI Score
0.001EPSS
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite...
7.5CVSS
6.6AI Score
0.001EPSS
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite...
7.5CVSS
6.6AI Score
0.001EPSS
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite...
7.5CVSS
7.4AI Score
0.001EPSS
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite...
7.5CVSS
7.3AI Score
0.001EPSS
CVE-2021-32821 Regular expression Denial of Service in MooTools
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite...
6.2CVSS
7.6AI Score
0.001EPSS
8.8CVSS
7.9AI Score
EPSS
Fedora 36 : drupal7 (2022-9d655503ea)
The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-9d655503ea advisory. Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to...
7.5CVSS
7.4AI Score
0.005EPSS
Fedora 35 : drupal7 (2022-bf18450366)
The remote Fedora 35 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-bf18450366 advisory. Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to...
7.5CVSS
7.4AI Score
0.005EPSS
Collateral NFT deposited to a wrong address, when transferred directly to PaprController
Lines of code Vulnerability details Impact Users will lose collateral NFTs when they are transferred to PaprController by an approved address or an operator. Proof of Concept The PaprController allows users to deposit NFTs as collateral to borrow Papr tokens. One of the way of depositing is by...
6.7AI Score
Lines of code Vulnerability details Impact The collateral is assigned to the operator's vault because of a parameter mismatch. This impacts the ability of third parties to integrate the PaprController contract. You're not able to create an intermediary contract that adds collateral to a user's...
6.6AI Score
Misunderstanding operator with from
Lines of code Vulnerability details Author: rotcivegaf Impact The owner of the ERC721 token could approve an operator to manage his tokens With the misunderstanding of operator with from in the onERC721Received function the benefits of this function goes to the operator instead of the...
6.7AI Score
A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector restrictions will not...
8.8CVSS
8.5AI Score
0.001EPSS
A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector restrictions will not...
8.8CVSS
0.001EPSS
A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector restrictions will not...
8.8CVSS
8.6AI Score
0.001EPSS
CVE-2022-44643 Access policy with access to all tenants and using label selectors has more access
A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector restrictions will not...
5.7CVSS
8.8AI Score
0.001EPSS
8.8CVSS
7.8AI Score
EPSS
[SECURITY] Fedora 36 Update: rubygem-nokogiri-1.13.10-1.fc36
Nokogiri parses and searches XML/HTML very quickly, and also has correctly implemented CSS3 selector support as well as XPath support. Nokogiri also features an Hpricot compatibility layer to help ease the chan ge to using correct CSS and...
7.5CVSS
1.8AI Score
0.001EPSS
[SECURITY] Fedora 37 Update: rubygem-nokogiri-1.13.10-1.fc37
Nokogiri parses and searches XML/HTML very quickly, and also has correctly implemented CSS3 selector support as well as XPath support. Nokogiri also features an Hpricot compatibility layer to help ease the chan ge to using correct CSS and...
7.5CVSS
1.8AI Score
0.001EPSS
Fedora: Security Advisory for rubygem-nokogiri (FEDORA-2022-b5c325caad)
The remote host is missing an update for...
7.5CVSS
7.8AI Score
0.001EPSS
Fedora: Security Advisory for rubygem-nokogiri (FEDORA-2022-acff3f54b2)
The remote host is missing an update for...
7.5CVSS
7.8AI Score
0.001EPSS
Debian DLA-3230-1 : jqueryui - LTS security update
The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3230 advisory. jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from...
6.5CVSS
7.1AI Score
0.004EPSS
6.5CVSS
7AI Score
0.004EPSS
[SECURITY] [DLA 3230-1] jqueryui security update
Debian LTS Advisory DLA-3230-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta December 07, 2022 https://wiki.debian.org/LTS Package : jqueryui Version : 1.12.1+dfsg-5+deb10u1 CVE...
6.5CVSS
7.3AI Score
0.004EPSS
Unbreakable Enterprise kernel security update
[4.14.35-2047.519.2.1] - xfs: trim IO to found COW extent limit (Eric Sandeen) [Orabug: 34765284] - xfs: don't use delalloc extents for COW on files with extsize hints (Christoph Hellwig) [Orabug: 34765284] [4.14.35-2047.519.2] - Revert 'xfs: don't use delalloc extents for COW on files with...
7.8CVSS
-0.1AI Score
0.0004EPSS
Unbreakable Enterprise kernel-container security update
[4.14.35-2047.519.2.1.el7] - xfs: trim IO to found COW extent limit (Eric Sandeen) [Orabug: 34765284] - xfs: don't use delalloc extents for COW on files with extsize hints (Christoph Hellwig) [Orabug: 34765284] [4.14.35-2047.519.2] - Revert 'xfs: don't use delalloc extents for COW on files with...
7.8CVSS
-0.1AI Score
0.0004EPSS
Lines of code https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L51-L112 https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/lowLevelCallers/LowLevelETH.sol#L43-L49 Vulnerability details Impact When ETH amount is trapped in the...
6.9AI Score
The owner of the contract can broke the storage of the LooksRareAggregator contract
Lines of code https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L88 Vulnerability details Impact The owner of the contract can broke the storage of the LooksRareAggregator contract Proof of Concept The addFunction() function -...
6.8AI Score
User can drain all ether from LooksRareAggregator contract
Lines of code Vulnerability details Impact Anyone could drain all ether from this contract. Proof of Concept function execute( TokenTransfer[] calldata tokenTransfers, TradeData[] calldata tradeData, address originator, address recipient, bool isAtomic ...
6.7AI Score
New Vulnerability in Popular Widget Shows Risks of Third-Party Code
UPDATE: Snyk has recently addressed 2 additional vulnerabilities we have reported to them, CVE-2022-24441 and CVE-2022-22984, affecting versions of Snyk CLI before XXX, which leads to arbitrary code execution when scanning untrusted Maven or Gradle projects. Similar to CVE-2022-40764 these...
8.8CVSS
0.3AI Score
0.018EPSS
uint16 type for the facet position and selector position
Lines of code https://github.com/code-423n4/2022-10-zksync/blob/main/ethereum/contracts/zksync/libraries/Diamond.sol#L33 https://github.com/code-423n4/2022-10-zksync/blob/main/ethereum/contracts/zksync/libraries/Diamond.sol#L190...
7.1AI Score
Dell Wyse Management Suite < 3.7 Multiple Vulnerabilities (DSA-2022-143)
The version of Dell Wyse Management Suite installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the DSA-2022-143 advisory. jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value...
6.5CVSS
6.2AI Score
0.004EPSS
Security update for the Linux Kernel (important)
An update that solves 32 vulnerabilities, contains two features and has 84 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: CVE-2016-3695: Fixed an issue inside the...
8.8CVSS
-0.4AI Score
0.01EPSS
Security update for the Linux Kernel (important)
An update that solves 17 vulnerabilities, contains one feature and has 29 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 kernel was updated. The following security bugs were fixed: CVE-2022-40768: Fixed information leak in the scsi driver which allowed local users...
8.8CVSS
0.3AI Score
0.01EPSS
PA1D._payoutTokens() won't work for USDT and other inconsistent ERC20 tokens.
Lines of code Vulnerability details Impact Some ERC20 tokens (USDT, BNB, OMG) do not return a boolean on succesful transfer. Checking the returned value of transfer for these tokens will always fail. Proof of Concept Usage of ERC20 interface and require statement in PA1D.sol....
6.8AI Score
Optimistic bridging pattern, can lead to bridge exploitation
Lines of code https://github.com/holographxyz/holograph-protocol/blob/c4_audit/contracts/HolographBridge.sol#L270 Vulnerability details Impact Zero deposit Bridging. Wherease users can fake the depositing process but can mint multiple tokens in the destination chain. The bridging is optimistic,...
7.2AI Score
Unbreakable Enterprise kernel security update
[5.15.0-3.60.5.1] - fs: remove no_llseek (Jason A. Donenfeld) [Orabug: 34721465] - vfio: do not set FMODE_LSEEK flag (Jason A. Donenfeld) [Orabug: 34721465] - dma-buf: remove useless FMODE_LSEEK flag (Jason A. Donenfeld) [Orabug: 34721465] - fs: do not compare against ->llseek (Jason A....
7CVSS
-0.2AI Score
0.0004EPSS