IndraMotion MLC L20, L40 Security Vulnerabilities

CVE-2021-23858

Information disclosure: The main configuration, including users and their hashed passwords, is exposed by an unprotected web server resource and can be accessed without authentication. Additionally, device details are exposed which include the serial number and the firmware version by another...

CVE-2021-23855

The user and password data base is exposed by an unprotected web server resource. Passwords are hashed with a weak hashing algorithm and therefore allow an attacker to determine the password by using rainbow...

Potential DOS in Contracts Inheriting UUPSUpgradeable.sol

Handle leastwood Vulnerability details Impact There are a number of contracts which inherit UUPSUpgradeable.sol, namely; GovernanceAction.sol, PauseRouter.sol and NoteERC20.sol. All these contracts are deployed using a proxy pattern whereby the implementation contract is used by the proxy contract....

Large Validator Sets/Rapid Validator Set Updates May Freeze the Bridge or Relayers

Handle nascent Vulnerability details In a similar vein to "Freeze The Bridge Via Large ERC20 Names/Symbols/Denoms", a sufficiently large validator set or sufficiently rapid validator update could cause both the eth_oracle_main_loop and relayer_main_loop to fall into a state of perpetual errors. In....

Inadequate Encryption Strength in showdoc

showdoc makes use of a hardcoded salt in its user password hash...

Inadequate Encryption Strength in showdoc

showdoc makes use of a hardcoded salt in its user password hash...

Ruby on Rails: Content Security Policy is only active for HTML responses but not for image/svg+xml

Setup plain Rails application with a simple route and controller Configure a Content Security Policy (CSP) for downloading/preview endpoints with default-src 'none' (via https://edgeguides.rubyonrails.org/security.html#content-security-policy) Send a malicious SVG* file (e.g. attached example)...

Integer division by 0 in sparse reshaping

Impact The implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception: python import tensorflow as tf tf.raw_ops.SparseReshape( input_indices = np.ones((1,3)), input_shape = np.array([1,1,0]), new_shape = np.array([1,0])) The implementation...

Integer division by 0 in sparse reshaping

Impact The implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception: python import tensorflow as tf tf.raw_ops.SparseReshape( input_indices = np.ones((1,3)), input_shape = np.array([1,1,0]), new_shape = np.array([1,0])) The implementation...

Crash caused by integer conversion to unsigned

Impact An attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments: ```python import tensorflow as tf from tensorflow.python.ops import gen_boosted_trees_ops import numpy as np v= tf.Variable([0.0, 0.0, 0.0, 0.0, 0.0])...

Crash caused by integer conversion to unsigned

Impact An attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments: ```python import tensorflow as tf from tensorflow.python.ops import gen_boosted_trees_ops import numpy as np v= tf.Variable([0.0, 0.0, 0.0, 0.0, 0.0])...

Privilege Escalation

billz/raspap-webgui is vulnerable to Privilege Escalation via OS commaind injection. An attacker can send an input of "a && whoami" to append strval($POST'connect']) to the end of the exec() function in configureclient.php , executing /etc/raspap/hostapd/enablelog.sh as root with no password and...

CVE-2021-37661

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative...

CVE-2021-37661

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative...

CVE-2021-37661

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative...

Integer overflow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative...

PYSEC-2021-772

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative...

PYSEC-2021-574

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative...

PYSEC-2021-283

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative...

CVE-2021-37661 Crash caused by integer conversion to unsigned in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative...

CVE-2021-37640

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception. The implementation calls the reshaping functor whenever there is at least an index in the input but....

CVE-2021-37640

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception. The implementation calls the reshaping functor whenever there is at least an index in the input but....

CVE-2021-37640

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception. The implementation calls the reshaping functor whenever there is at least an index in the input but....

PYSEC-2021-751

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception. The implementation calls the reshaping functor whenever there is at least an index in the input but....

PYSEC-2021-553

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception. The implementation calls the reshaping functor whenever there is at least an index in the input but....

Buffer overflow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception. The implementation calls the reshaping functor whenever there is at least an index in the input but....

PYSEC-2021-262

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception. The implementation calls the reshaping functor whenever there is at least an index in the input but....

CVE-2021-37640 Integer division by 0 in sparse reshaping in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of tf.raw_ops.SparseReshape can be made to trigger an integral division by 0 exception. The implementation calls the reshaping functor whenever there is at least an index in the input but....

Single-step process for critical ownership transfer/renounce is risky

Handle 0xRajeev Vulnerability details Impact The SwappableYieldSource allows owners and asset managers to set/swap/transfer yield sources/funds. As such, the contract ownership plays a critical role in the protocol. Given that AssetManager is derived from Ownable, the ownership management of this.....

The safe versions of transfer/transferFrom are not implemented as expected

Handle 0xRajeev Vulnerability details Impact The “safe” versions of token transfer/transferFrom as implemented either by OpenZeppelin’s SafeERC20 or Uniswap libraries, use a low-level call and make checks on the return data to handle cases where tokens may not return any value on...

Malicious owner can drain the market at any time using SafetyWithdraw

Handle 0xRajeev Vulnerability details Impact The withdrawERC20Token() in SafetyWithdraw inherited in TracerPerpetualSwaps is presumably a guarded launch emergency withdrawal mechanism. However, given the trust model where the market creator/owner is potentially untrusted/malicious, this is a...

rug pull possible via SafetyWithdraw

Handle gpersoon Vulnerability details Impact The contract TracerPerpetualSwaps inherits from SafetyWithdraw, which means the function withdrawERC20Token is possible, This allows the projectowners to withdraw the ERC20 tokens from the contract, which can be seen as a rug pull Also the tvl variable.....

Initialization functions can be front-run with malicious values

Handle 0xRajeev Vulnerability details Impact Most contracts have public visibility initialization functions that can be front-run, allowing an attacker to incorrectly initialize the contracts. Due to the use of the delegatecall proxy pattern, PrizePool/YieldSourcePrizePool/StakePrizePool,...

CVE-2021-21382

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship...

CVE-2021-21382

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship...

CVE-2021-21382

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship...

Design/Logic Flaw

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship...

CVE-2021-21382 Unsafe loopback forwarding interface in Restund

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship...

GitLab: Stored XSS in Mermaid when viewing Markdown files

Summary GitLab's Mermaid configuration allows an attacker to inject HTML in the rendered Markdown. This can be combined with a CSP bypass using pipeline artifacts to achieve RCE. Steps to reproduce Create a repository on GitLab.com Add the following to .gitlab-ci.yml ```yaml job: script: ...

Incomplete validation in `SparseReshape`

Impact Incomplete validation in SparseReshape results in a denial of service based on a CHECK-failure. ```python import tensorflow as tf input_indices = tf.constant(41, shape=[1, 1], dtype=tf.int64) input_shape = tf.zeros([11], dtype=tf.int64) new_shape = tf.zeros([1], dtype=tf.int64)...

Incomplete validation in `SparseReshape`

Impact Incomplete validation in SparseReshape results in a denial of service based on a CHECK-failure. ```python import tensorflow as tf input_indices = tf.constant(41, shape=[1, 1], dtype=tf.int64) input_shape = tf.zeros([11], dtype=tf.int64) new_shape = tf.zeros([1], dtype=tf.int64)...

Null pointer dereference via invalid Ragged Tensors

Impact Calling tf.raw_ops.RaggedTensorToVariant with arguments specifying an invalid ragged tensor results in a null pointer dereference: ```python import tensorflow as tf input_tensor = tf.constant([], shape=[0, 0, 0, 0, 0], dtype=tf.float32) filter_tensor = tf.constant([], shape=[0, 0, 0, 0, 0],....

Null pointer dereference via invalid Ragged Tensors

Impact Calling tf.raw_ops.RaggedTensorToVariant with arguments specifying an invalid ragged tensor results in a null pointer dereference: ```python import tensorflow as tf input_tensor = tf.constant([], shape=[0, 0, 0, 0, 0], dtype=tf.float32) filter_tensor = tf.constant([], shape=[0, 0, 0, 0, 0],....

in cythron/gcp

✍️ Description Hard-Coded User Credentials are exposed in the docker file. 🕵️‍♂️ Proof of Concept https://github.com/cythron/gcp/blob/master/%23Dockerfile#L20 💥 Impact Attacker is capable of login using given...

CVE-2021-29611

TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in SparseReshape results in a denial of service based on a CHECK-failure. The...

CVE-2021-29611

TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in SparseReshape results in a denial of service based on a CHECK-failure. The...

CVE-2021-29611

TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in SparseReshape results in a denial of service based on a CHECK-failure. The...

CVE-2021-29516

TensorFlow is an end-to-end open source platform for machine learning. Calling tf.raw_ops.RaggedTensorToVariant with arguments specifying an invalid ragged tensor results in a null pointer dereference. The implementation of RaggedTensorToVariant...

CVE-2021-29516

TensorFlow is an end-to-end open source platform for machine learning. Calling tf.raw_ops.RaggedTensorToVariant with arguments specifying an invalid ragged tensor results in a null pointer dereference. The implementation of RaggedTensorToVariant...

CVE-2021-29516

TensorFlow is an end-to-end open source platform for machine learning. Calling tf.raw_ops.RaggedTensorToVariant with arguments specifying an invalid ragged tensor results in a null pointer dereference. The implementation of RaggedTensorToVariant...