IndraMotion MLC L20, L40 Security Vulnerabilities

BIT-tensorflow-2021-29611

TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in SparseReshape results in a denial of service based on a CHECK-failure. The...

BIT-tensorflow-2021-37640

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception. The implementation calls the reshaping functor whenever there is at least an index in the input but....

BIT-tensorflow-2021-37661

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative...

Adobe Acrobat Reader Font CPAL numColorRecords out-of-bounds read vulnerability

Talos Vulnerability Report TALOS-2023-1905 Adobe Acrobat Reader Font CPAL numColorRecords out-of-bounds read vulnerability February 15, 2024 CVE Number CVE-2024-20735 SUMMARY An out-of-bounds read vulnerability exists in the font file processing functionality of Adobe Acrobat Reader...

CVE-2024-0448

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget URL parameters in all versions up to, and including, 8.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with.....

CVE-2024-0448

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget URL parameters in all versions up to, and including, 8.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with.....

CVE-2024-0448

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget URL parameters in all versions up to, and including, 8.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with.....

Interface improperly implemented

Lines of code 34, 34, 34, 34, 30, 31, 32, 34, 35,...

Replay Attack because EIP712 DOMAIN_SEPARATOR stored as immutable

Lines of code https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/ocean/ERC1155PermitSignatureExtension.sol#L40 https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/ocean/OceanERC1155.sol#L36-L39...

Cueing up a calculator: an introduction to exploit development on Linux

In this follow-up to my previous blog post, I'll explain how to exploit CVE-2023-43641 (a memory corruption vulnerability in libcue) to create a reliable 1-click RCE on Ubuntu 23.04 and Fedora 38. I have also published the source code of the proof of concept. To quickly recap the previous blog...

Securing our home labs: Home Assistant code review

Introduction In July, the GitHub Security Lab team conducted a collaborative review of one of our favorite software pieces. While it's not uncommon for our Security Lab researchers to work together on audits and research projects, we found that conducting team audits occasionally provides a...

Interface improperly implemented

Lines of code 34, 34, 34, 34, 30, 31, 32, 34, 35,...

Uptime Kuma Authenticated remote code execution via TailscalePing

Summary The runTailscalePing method of the TailscalePing class injects the hostname parameter inside a shell command, leading to a command injection and the possibility to run arbitrary commands on the server. Details When adding a new monitor on Uptime Kuma, we can select the "Tailscale Ping"...

Uptime Kuma Authenticated remote code execution via TailscalePing

Summary The runTailscalePing method of the TailscalePing class injects the hostname parameter inside a shell command, leading to a command injection and the possibility to run arbitrary commands on the server. Details When adding a new monitor on Uptime Kuma, we can select the "Tailscale Ping"...

GitLab: Stored-XSS injected in Wiki page via Banzai pipeline

Hello, I found a vulnerability in AbstractReferenceFilter class that can be exploited to inject any HTML elements leading to stored-XSS. Reproduce Create a new project. Got to its Wikis, Create your first page button, then fill the form: Title: _sidear Content: please see in _sidebar.md attached...

CVE-2023-4723

The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.12.7 via the ajax_eae_post_data function. This can allow unauthenticated attackers to extract sensitive data including post/page ids and titles including those of...

CVE-2023-4723

The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.12.7 via the ajax_eae_post_data function. This can allow unauthenticated attackers to extract sensitive data including post/page ids and titles including those of...

CVE-2023-4723

The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.12.7 via the ajax_eae_post_data function. This can allow unauthenticated attackers to extract sensitive data including post/page ids and titles including those of...

Shares Manipulation DoS Vulnerability in StakedUSDe

Lines of code https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L190-L194 https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L225-L239 Vulnerability details Impact The StakedUSDe contract is vulnerable to manipulation by a malicious actor,....

CVE-2023-5705

The VK Filter Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk_filter_search' shortcode in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-5705

The VK Filter Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk_filter_search' shortcode in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-5705

The VK Filter Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk_filter_search' shortcode in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Updating safeManager reference in Vault721 will brick transfer of safes

Lines of code Vulnerability details Impact Updating safeManager reference in Vault721 will brick safe transfers since the state of the new ODSafeManager instance won't have corresponding data. In addition, it is not clear how it would be possible to achieve seamless migration as particular...

CVE-2023-4919

The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the iframe shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permission and above,...

CVE-2023-4919

The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the iframe shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permission and above,...

CVE-2023-4919

The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the iframe shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permission and above,...

The WalletRegistry.sol#registerWallet() function can be used to register wallet by anyone.

Lines of code Vulnerability details Impact Anyone can register wallet allowing anyone to set the iswallet[msg.sender] to true for themselves allowing them to exploit other functions. Proof of Concept From the comment on the registerWallet() function below, the registerWallet() function Can only be....

CVE-2023-1259

The Hotjar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the hotjar_site_id in versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2023-1259

The Hotjar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the hotjar_site_id in versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2023-1259

The Hotjar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the hotjar_site_id in versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

Hash Collisions and Front-Running Risk

Lines of code https://github.com/code-423n4/2023-10-ens/blob/ed47c841a19abd26681110a26ef03c446da2b6dd/contracts/ERC20MultiDelegate.sol#L15-L20 Vulnerability details https://github.com/code-423n4/2023-10-ens/blob/ed47c841a19abd26681110a26ef03c446da2b6dd/contracts/ERC20MultiDelegate.sol#L15-L20 ...

ENS (ERC20Votes) token transferred to the proxy contract will be lost forever.

Lines of code https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L110-L112 Vulnerability details Impact ENS (ERC20Votes) token transferred to the proxy contract will be lost forever. As delegation amount is out of sync with the.....

Needs a secure modifier

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The ERC20ProxyDelegator constructor appears to be used for delegating voting rights to a delegate by allowing them to call the delegate function of an ERC20Votes contract. To secure this function, you...

LiquidityMining.initTickTracking() called by MarketSequencer.initCurve() Check if the liquidity curve for the pool is already initialized.

Lines of code Vulnerability details MarketSequencer.initCurve() can call LiquidityMining.initTickTracking() any number of times, because their is no restriction for reinitialization. As stated in the comment section, putting the caller in charge of not reinitializing can lead to an unintentional...

Lack of tick range validation allows initialization of invalid ticks.

Lines of code Vulnerability details Impact Function initTickTracking initializes the tick tracking data structure, but does not validate that tick is within the min/max tick range for the pool. This could allow initializing invalid tick values. Proof of Concept Here is the line in initTickTracking....

Existing pools will be bricked due to uninitialized state

Lines of code Vulnerability details Existing pools will be bricked due to uninitialized Summary Pools already present in the exchange will be bricked when crossTicks() is called with an uninitialized tickTracking_ storage, which will trigger an array out of bounds error. Impact New pools in the...

BLOCKS_PER_YEAR in Prime.sol should vary depending on leap and non-leap year

Lines of code https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/Prime.sol#L109 https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/Prime.sol#L974...

Incorrect initialization of rUSDY.sol

Lines of code Vulnerability details Impact rUSDY.sol contract inherits PausableUpgradeable contract but does not invoke its initialzers during its own initialization. Due to which the state of PausableUpgradeable contract remain uninitialized. File: contracts/usdy/rUSDY.sol contract rUSDY is ...

mlc-it.org Cross Site Scripting vulnerability OBB-3573849

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

The project's reputation and user funds can be affected if a clear invariant is not met

Lines of code Vulnerability details Vulnerability details Impact The protocol may not work as expected in years that are not 365 days long, which could lead to a loss of confidence in the protocol. In fact, the next year is one of those years (leap year). Furthermore, defining it as a constant in.....

onlyProxy MODIFIER CAN BE BYPASSED BY A MALICIOUS PROXY CONTRACT AND CAN PUSH THE IMPLEMENTATION CONTRACT INTO AN UNDESIRABLE STATE

Lines of code https://github.com/code-423n4/2023-07-axelar/blob/main/contracts/gmp-sdk/upgradable/Upgradable.sol#L78-L80 https://github.com/code-423n4/2023-07-axelar/blob/main/contracts/gmp-sdk/upgradable/Proxy.sol#L40-L43 Vulnerability details Impact The Upgradeable.onlyProxy modifier is used to.....

newer tx can remain un approved due nto previous tx not passing

Lines of code Vulnerability details Impact Newer transaction will not get approved because previous on es have not been approved or rejected Proof of Concept Let's say two out of 3 addresses sign a transaction which requires 3 signers then after some time the 3 now sign another transaction it wont....

Storage collision risk in NounsDAOProxy contracts

Lines of code https://github.com/nounsDAO/nouns-monorepo/blob/718211e063d511eeda1084710f6a682955e80dcb/packages/nouns-contracts/contracts/governance/NounsDAOProxyV2.sol#L43...

Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG

Antlers sanitizer cannot effectively sanitize malicious SVG Summary The SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform XSS attacks using SVG, even when using the sanitize function. Details Regarding the previous discussion mentioned here,.....

Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG

Antlers sanitizer cannot effectively sanitize malicious SVG Summary The SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform XSS attacks using SVG, even when using the sanitize function. Details Regarding the previous discussion mentioned here,.....

CVE-2023-30319

Cross Site Scripting (XSS) vulnerability in username field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary...

CVE-2023-30319

Cross Site Scripting (XSS) vulnerability in username field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary...

Cross-Site Scripting (XSS)

statamic/cms is vulnerable to Cross-Site Scripting (XSS). The vulnerability exists in the index function at Svg.php because the SVG tag does not sanitize malicious SVG which allows an attacker to inject and execute arbitrary...

CVE-2023-30319

Cross Site Scripting (XSS) vulnerability in username field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary...

CVE-2023-36828

Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the sanitize function. Version....