IndraMotion MLC L20, L40 Security Vulnerabilities

CVE-2023-36828

Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the sanitize function. Version....

CVE-2023-36828

Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the sanitize function. Version....

CVE-2023-36828 Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG

Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the sanitize function. Version....

maxSupply in esLBR.sol is wrong

Lines of code Vulnerability details Impact Proof of Concept As mentioned in the docs in line 6 in esLBR.sol contract , the maximum supply will be 55 million . https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/token/esLBR.sol#L6 The maximum amount that can be minted through...

TimeoutTimeStamp and TimeoutHeight fields are not properly validated

Lines of code Vulnerability details Impact The absence of proper validation for TimeoutTimeStamp and TimeoutHeight fields before processing an onboarding request can lead to significant disruption and potential security risks. This might allow an attacker to send an IBC (Inter-Blockchain...

GetStandardDenom at CreatePool might panic on unchecked nil

Lines of code https://github.com/cosmos/cosmos-sdk/blob/main/x/authz/keeper/keeper.go#L67 Vulnerability details Impact A panic might occur when calling CreatePool and stop the app Proof of Concept here we can see CreatePool is creating new struct pool which call k,GetStandardDenom as value for...

Prototype Pollution

progressbar.js is vulnerable to Prototype Pollution. The vulnerability exists in extend function at utils.js which allows an attacker to inject and modify malicious properties such as proto , resulting in prototype...

progressbar.js vulnerable to Prototype Pollution

All versions of the package progressbar.js prior to 1.1.1 are vulnerable to Prototype Pollution via the function extend() in the file...

progressbar.js vulnerable to Prototype Pollution

All versions of the package progressbar.js prior to 1.1.1 are vulnerable to Prototype Pollution via the function extend() in the file...

CVE-2023-2607

The Multiple Page Generator Plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

CVE-2023-2607

The Multiple Page Generator Plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

CVE-2023-2607

The Multiple Page Generator Plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

Technically the seven days period is not guaranteed and it's possible for the challenger to delete a withdrawal even if it hasn't been challenged during the seven days

Lines of code Vulnerability details Proof of Concept There's an existing logic to prevent the CHALLENGER from deleting a l2Output after the finalization period has ended. This is done to prevent having user withdrawals blocked after the finalization period has elapsed without challenges. The...

Anyone Can selfdestruct The VaultProxy Contract.

Lines of code https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/factory/VaultFactory.sol#L29 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/factory/VaultFactory.sol#L42...

The _poolId and _id values are not within the expected range and not performing appropriate bounds checking in the VAULTPROXY contract

Lines of code Vulnerability details Impact When the _poolId and _id values are not within the expected range and appropriate bounds checking is not performed in the contract, it can result in high risk and vulnerabilities. Here are some potential risks and vulnerabilities that can arise: Invalid...

VaultProxy implementation can be initialized by anyone and self-destructed

Lines of code https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/VaultProxy.sol#L41-L50 Vulnerability details Impact When the VaultFactory contract is deployed and initialized, the initialise method on the newly created VaultProxy implementation...

EntropyReducer - Reduce Entropy And Obfuscate Youre Payload With Serialized Linked Lists

EntropyReducer: Reduce The Entropy Of Youre Payload And Obfuscate It With Serialized Linked Lists How Does It Work EntropyReducer algorithm is determined by BUFF_SIZE and NULL_BYTES values. The following is how would EntropyReducer organize your payload if BUFF_SIZE was set to 4, and NULL_BYTES to....

CVE-2022-42225

Jumpserver 2.10.0 <= version <= 2.26.0 contains multiple stored XSS vulnerabilities because of improper filtering of user input, which can execute any javascript under admin's...

CVE-2022-42225

Jumpserver 2.10.0 <= version <= 2.26.0 contains multiple stored XSS vulnerabilities because of improper filtering of user input, which can execute any javascript under admin's...

CVE-2022-42225

Jumpserver 2.10.0 <= version <= 2.26.0 contains multiple stored XSS vulnerabilities because of improper filtering of user input, which can execute any javascript under admin's...

CVE-2022-42225

Jumpserver 2.10.0 <= version <= 2.26.0 contains multiple stored XSS vulnerabilities because of improper filtering of user input, which can execute any javascript under admin's...

CVE-2023-2608

The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projects_list function and insufficient escaping...

CVE-2023-2608

The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projects_list function and insufficient escaping...

CVE-2023-2608

The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projects_list function and insufficient escaping...

Building Trustworthy AI

We will all soon get into the habit of using AI tools for help with everyday problems and tasks. We should get in the habit of questioning the motives, incentives, and capabilities behind them, too. Imagine you're using an AI chatbot to plan a vacation. Did it suggest a particular resort because...

Extraordinary proposal can become stuck

Lines of code Vulnerability details Since standard and extraordinary proposals use the same treasury funds accounting variables and extraordinary voting period is long enough (1 month), it is possible that extraordinary proposal that was valid and gained enough votes will end up frozen: it might...

Upgraded Q -> 2 from #298 [1683710120837]

Judge has assessed an item in Issue #298 as 2 risk. The relevant finding follows: [L-03] Redundant and dangerous len parameter in readKeyValue Links Impact If the len is not set to input.length minus the offset, there may be unpredictable results due how the algorithm works. Proof of Concept Let's....

Upgraded Q -> 2 from #49 [1683711080406]

Judge has assessed an item in Issue #49 as 2 risk. The relevant finding follows: QA10. readKeyValue() fails to enforce the constraint offset+len<=input.length. As a result, the key-value pair might be read from dirty memory area that is beyond the memory range of input and thus could be wrong......

Vulnerability in Pause Function

Lines of code Vulnerability details Impact An attacker can exploit this vulnerability by setting any value as the new paused status code, which can allow the attacker to circumvent the pausing restrictions and carry out unauthorized actions on the contract. This can lead to significant...

Insecure Ownership Management in DNSSECImpl.sol

Lines of code https://github.com/code-423n4/2023-04-ens/blob/45ea10bacb2a398e14d711fe28d1738271cd7640/contracts/dnssec-oracle/Owned.sol#L18-L20 Vulnerability details Impact This finding highlights a potential security risk related to the lack of safeguards when changing ownership in the...

Unvalidated External Library Usage in RSASHA256Algorithm

Lines of code https://github.com/code-423n4/2023-04-ens/blob/45ea10bacb2a398e14d711fe28d1738271cd7640/contracts/dnssec-oracle/algorithms/RSASHA256Algorithm.sol#L5 Vulnerability details Impact A hacker could exploit this vulnerability to inject malicious code into the contract, potentially allowing....

OperatorProposal._executeOperation() should refund excess ETH

Lines of code Vulnerability details Impact There are excess ETH in OperatorProposal._executeOperation, and it should be refunded. Proof of Concept OperatorProposal._executeOperation runs data.operator.execute with data.operatorValue of ETH. data.operator.execute{ value: data.operatorValue...

OperatorProposal.sol: Leftover ETH is not refunded to the msg.sender

Lines of code Vulnerability details Impact The OperatorProposal contract is a type of proposal that allows to execute operations on contracts that implement the IOperator interface. Upon execution of the proposal it might be necessary that the executor provides ETH. This is true especially when...

Potential lose of Vault control

Lines of code Vulnerability details Impact If by any means this function is not called first by the creators anyone can be the one to define it forever since there is no verification, after that the attacker will have complete control over the mint and burn functions. Proof of Concept function...

Unprotected setVault function can be frontrun to set the attacker controlled vault address

Lines of code Vulnerability details Impact Unprotected setVault function from VaultToken.sol can be frontrun to set the attacker controlled vault address. Once attacker controlled vault address is set as a vault, attacker can mint large amount of tokens for himself and also able to burn other...

[H-3] Any account can mint or burn an unlimited number of vault tokens and drain the Kangaroo Vault.

Lines of code Vulnerability details Impact This is a failure in setting up access control. Anyone could set the vault address to their address and call the mint/burn function to mint and burn vault tokens....

Malicious or hacked admin can steal all ETH

Lines of code Vulnerability details Impact In L2EthToken.sol we have transferFromTo() It is possible malicious or hacked admin to steal the ETH. Proof of Concept As can be seen from the code snippet below, nothing can stop malicious or hacked admin to steal all ETH. He can use address _from and...

Default accounts cannot pay transaction fees due to DefaultAccount not calling MsgValueSimulator

Lines of code Vulnerability details Impact Default accounts cannot pay the transaction fees to the bootloader. It's not clear whether the attempts to do so will silently succeed or revert because the behaviour of the CALL opcode in the zkSync Era virtual machine isn't explained in the description.....

MerkleMinter created through TokenFactory cannot be upgraded

Lines of code Vulnerability details Impact During the token creation process in the TokenFactory contract, the function creates a MerkleMinter contract to setup and handle token initial token distribution....

SWC-101 Artihmetic Overflow test/LotteryInvariantChecks.t.sol testBuyClaimFinalize()

Lines of code https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/RNSourceBase.sol#L17-L20 Vulnerability details Impact Integer overflow on finalizeDraw() function. Failing tests: Encountered 1 failing test in...

Estimated profit may drift

Lines of code https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/LotteryMath.sol#L35-L56 Vulnerability details Impact The lottery is not sustainable over time. Excess pot calculation may drift, which either leads to insufficient payouts or a depletion of....

Command Injection

ipython is vulnerable to Command Injection. The vulnerability exists due to improper input sanitization in the _set_term_title function of terminal.py, which allows an attacker to inject maliciously crafted commands if the host is running Windows and ctypes is not...

CVE-2023-24816

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability...

CVE-2023-24816

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability...

CVE-2023-24816

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability...

IPython vulnerable to command injection via set_term_title

IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the set_term_title function under specific conditions. This has been patched in version 8.10.0. Impact Users are only vulnerable when calling....

IPython vulnerable to command injection via set_term_title

IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the set_term_title function under specific conditions. This has been patched in version 8.10.0. Impact Users are only vulnerable when calling....

CVE-2023-24816 set_term_title command injection in ipython

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability...

CVE-2023-24816

IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability...

AddressRegistry might have non-actual record

Lines of code https://github.com/code-423n4/2023-01-canto-identity/blob/main/src/AddressRegistry.sol#L21 https://github.com/code-423n4/2023-01-canto-identity/blob/main/src/AddressRegistry.sol#L40-L49 https://github.com/code-423n4/2023-01-canto-identity/blob/main/src/AddressRegistry.sol#L59-L64...