Berlin-l21,berlin-l21hn,berlin-l22,berlin-l22hn,berlin-l23,berlin-l24hn,frd-l02,frd-l04,frd-l09,frd-l14,frd-l19, Security Vulnerabilities

Signed data may be usable cross-chain

Lines of code https://github.com/code-423n4/2023-10-brahma/blob/a6424230052fc47c4215200c19a8eef9b07dfccc/contracts/src/libraries/TypeHashHelper.sol#L23-L31 Vulnerability details Impact The function validatePreTransactionOverridable(), which Validates a txn on guard before execution, for Brahma...

User is unable to undelegate their votes from a ProxyDelegator

Lines of code https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L98-L107 https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L124-L137...

use higher version of openzeppelin library instead of vulnerible ones.

Lines of code Vulnerability details Impact the Op lib has some dangerous vulnerabilities in lower versions especially when you work with ERC1155 Openzeppelin already says the lower versions are vulnerable. Affected versions = 4.2.0 < 4.3.3 Patched versions 4.3.3 look at this GHSA-wmpv-c2jp-j2xg....

CrossTicks is not called when Users claimConcentratedRewards.

Lines of code https://github.com/code-423n4/2023-10-canto/blob/37a1d64cf3a10bf37cbc287a22e8991f04298fa0/canto_ambient/contracts/mixins/LiquidityMining.sol#L156 Vulnerability details Vulnerability Details The crossTicks() function is called to keep track and update the ticks whenever a tick is...

Rewards cannot be transferred when calling protocol command

Lines of code Vulnerability details Summary Rewards are set up using protocol commands, but it's entrypoint is not payable. Impact Rewards can be set up by protocol authorities using the functions setConcRewards() and setAmbRewards() present in the LiquidityMiningPath contracts. These two are part....

User scores can be wrong due to wrong scaling of the Capital.

Lines of code https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/libs/Scores.sol#L22 Vulnerability details Impact In the prime.sol contract, the function _CalculateScore is used to calculate and scale the capital using 1e18 as the...

functions in FixedMath.sol directly converting uint256 arguments to int256 which may overflow

Lines of code https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/libs/FixedMath.sol#L46 https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/libs/FixedMath.sol#L22...

CVE-2023-5135

The Simple Cloudflare Turnstile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gravity-simple-turnstile' shortcode in versions up to, and including, 1.23.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-5135

The Simple Cloudflare Turnstile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gravity-simple-turnstile' shortcode in versions up to, and including, 1.23.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-5135

The Simple Cloudflare Turnstile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gravity-simple-turnstile' shortcode in versions up to, and including, 1.23.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

berlin-karow-internet.de Cross Site Scripting vulnerability OBB-3685441

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

CVE-2023-4963

The WS Facebook Like Box Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2023-4963

The WS Facebook Like Box Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2023-4963

The WS Facebook Like Box Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

Russian Journalist's iPhone Compromised by NSO Group's Zero-Click Spyware

The iPhone belonging to Galina Timchenko, a prominent Russian journalist and critic of the government, was compromised with NSO Group's Pegasus spyware, a new collaborative investigation from Access Now and the Citizen Lab has revealed. The infiltration is said to have happened on or around...

Rouge ward can remove auth permission from other wards and then remove themselves

Lines of code Vulnerability details In a protocol, the deny function is used to remove the ward permissions from an address. This is actually a serious thing to consider that can actually occur, if a ward contract or account is obtained and other wards are not aware, the rogue ward can actually...

SafeTransferLib's safeApprove() does not set allowance 0 first which would lead to the escrow encountering issues when dealing with tether's USDT or tokens like it.

Lines of code Vulnerability details Impact Medium... a number of features within the protocol will not work if an approval reverts in the escrow or anywhere else NB: Report mainly focuses on the usage of the SafeTransferLib's safeApprove(), but bug is attached to the underlying call made to...

Description of the security update for SharePoint Server Subscription Edition: September 12, 2023 (KB5002474)

Description of the security update for SharePoint Server Subscription Edition: September 12, 2023 (KB5002474) Summary This security update resolves a Microsoft SharePoint Server elevation of privilege vulnerability. To learn more about the vulnerability, see Microsoft Common Vulnerabilities and...

Protocol will fail for ERC1155 tokens

Lines of code Vulnerability details Issue DelegateTokenTransferHelpers::checkERC1155BeforePull() and DelegateTokenTransferHelpers::pullERC1155AfterCheck() perform "set and check" operations on erc1155Pulled.flag which will always revert. In the first function, the value of erc1155Pulled.flag is...

the perpetualVaultLP.sol is vulnable by flashloan attack

Lines of code https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L145-L175 Vulnerability details impact The perpVaultLp contract is susceptible to a flash loan attack. An attacker can exploit the vulnerability....

Arbitrary Code Injection

github.com/ansible-semaphore/semaphore is vulnerable to Arbitrary Code Injection. The vulnerability exists in makeCmd function at AnsiblePlaybook.go which allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables...

berlin-housekeeping.de Cross Site Scripting vulnerability OBB-3604477

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

CVE-2023-4029

A buffer overflow has been identified in the BoardUpdateAcpiDxe driver in some Lenovo ThinkPad products which may allow an attacker with local access and elevated privileges to execute arbitrary...

Missing __Governor_init() call in SecurityCouncilMemberRemovalGovernor's initialize() function

Lines of code Vulnerability details Bug Description The SecurityCouncilMemberRemovalGovernor contract inherits Openzeppelin's GovernorUpgradeable: SecurityCouncilMemberRemovalGovernor.sol#L17-L19 contract SecurityCouncilMemberRemovalGovernor is Initializable, GovernorUpgradeable, However,...

fTPM Voltage Fault Injection

Bulletin ID:AMD-SB-4005 Potential Impact: Arbitrary Code Execution Severity:High Summary CVE-2023-20589 Researchers at the Technische Universität Berlin have reported the use of voltage fault injection attacks on ASP secure boot targeting fTPM. An attacker with specialized hardware and physical...

berlin-partner.de Cross Site Scripting vulnerability OBB-3571060

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Potential Near-Zero Scenarios for purchasePrice in the Continuous Gradual Dutch Auction

Lines of code https://github.com/GenerationSoftware/pt-v5-cgda-liquidator/blob/7f95bcacd4a566c2becb98d55c1886cadbaa8897/src/LiquidationPair.sol#L294-L319...

DEPRECATED POOLS CAN BE USED IN THE CRITICAL TRANSACTION EXECUTIONS OF THE OptionsPositionManager CONTRACT

Lines of code https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/RoeRouter.sol#L23-L29 Vulnerability details Impact The PositionManager.getPoolAddresses function is used to get the important address details of the RoePool to be used in the critical function executions of the...

CVE-2023-38688

twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result, communication, including...

CVE-2023-38688

twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result, communication, including...

CVE-2023-38688

twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result, communication, including...

CVE-2023-38688 twitch-tui's connection is not encrypted

twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result, communication, including...

Insufficient Authorization Checks in 'SGLLeverage' Contract Functions

Lines of code https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/singularity/SGLLeverage.sol#L58...

The USDOMarketModule contract's lend function allows for dangerous call delegation

Lines of code Vulnerability details Impact The USDOMarketModule contract is a module that is used by the BaseUSDO contract to facilitate functionality for market actions. The module functionality is invoked through the invocation of a delegatecall within the BaseUSDO contract's _executeModule...

Malicious user can drain the Singularity contract of it's liquidity

Lines of code https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/singularity/SGLCollateral.sol#L35 Vulnerability details Impact The SGLCollateral contract has functionality to allow users to remove and add collateral for the Singularity....

The USDOOptionsModule contract's exercise function allows for dangerous call delegation

Lines of code Vulnerability details Impact The USDOOptionsModule contract is a module that is used by the BaseUSDO contract to facilitate functionality for oTap actions. The module functionality is invoked through the invocation of a delegatecall within the BaseUSDO contract's _executeModule...

The USDOLeverageModule contract's leverageUp function allows for dangerous call delegation

Lines of code Vulnerability details Impact The USDOLeverageModule contract is a module that is used by the BaseUSDO contract to facilitate functionality for leverage actions. The module functionality is invoked through the invocation of a delegatecall within the BaseUSDO contract's _executeModule.....

Risk of Incorrect Collateral Pricing in Case of Aggregator Reaching minAnswer

Lines of code Vulnerability details Impact Chainlink aggregators have a built-in circuit breaker to prevent the price of an asset from deviating outside a predefined price range. This circuit breaker may cause the oracle to persistently return the minPrice instead of the actual asset price in the.....

twitch-tui's connection is not encrypted

Summary The connection is not using TLS for communication Details In the configuration of the irc connection, you are disabling tls which makes all communication to twitch irc servers unencrypted. PoC You can verify by using tcpdump/wireshark that traffic is unencrypted. Impact Communication can...

twitch-tui's connection is not encrypted

Summary The connection is not using TLS for communication Details In the configuration of the irc connection, you are disabling tls which makes all communication to twitch irc servers unencrypted. PoC You can verify by using tcpdump/wireshark that traffic is unencrypted. Impact Communication can...

Identifying publications using its ID makes the protocol vulnerable to blockchain re-orgs

Lines of code Vulnerability details Bug Description In the protocol, publications are uniquely identified through the publisher's profile ID and the publication's ID. For example, when a user calls act(), the publication being acted on is determined by publicationActedProfileId and...

Reentrancy Vulnerability in MErc20Delegate.sol

Lines of code Vulnerability details Impact The fallback function delegates calls to the implementation contract using delegatecall. This allows the implementation contract to call back into MErc20Delegate before the original delegatecall completes. An attacker could exploit this vulnerability to...

EIP-712 typehash is incorrect for several functions in MetaTxLib

Lines of code https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Typehash.sol#L23 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Typehash.sol#L25...

Anyone with a share link can RESET all website data in Umami

Summary Anyone with a share link (permissions to view) can reset the website data. Details When a user navigates to a /share/ URL, he receives a share token which is used for authentication. This token is later verified by useAuth. After the token is verified, the user can call most of the GET...

Anyone with a share link can RESET all website data in Umami

Summary Anyone with a share link (permissions to view) can reset the website data. Details When a user navigates to a /share/ URL, he receives a share token which is used for authentication. This token is later verified by useAuth. After the token is verified, the user can call most of the GET...

Closing vulnerabilities in Decidim, a Ruby-based citizen participation platform

This blog post describes two security vulnerabilities in Decidim, a digital platform for citizen participation. Both vulnerabilities were addressed by the Decidim team with corresponding update releases for the supported versions in May 2023. This blog post is not directly related to election...

The is no way for native tokens to get sent to InterchainProposalExecutor

Lines of code Vulnerability details Impact Proposals that require value cannot be executed as native tokens on the other side of the bridge cannot be provided. Proof of Concept Proposals have a value parameter, which allows users to specify what amount of native tokens should be passed when...

Attacker can steal funcds from InterchainProposalExecutor contract

Lines of code https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/interchain-governance-executor/InterchainProposalExecutor.sol#L22 Vulnerability details Impact In InterchainProposalSender users can send proposals to diffrent chains by passing the...

Users can abuse multicall feature on InterchainTokenService to steal contract funds

Lines of code Vulnerability details Impact Users can steal balance in InterchainTokenService to pay gas fees for remote chain calls through multicall() in InterchainTokenService.sol. Proof of Concept User can send multiple calls at the same time on InterchainTokenService contract with the help of.....

Payable functions using delegatecall inside a loop

Lines of code Vulnerability details Impact The use of delegatecall within a loop, in the context of a payable function, can lead to the repeated crediting of the msg.value amount, potentially causing unexpected behavior or loss of funds. Proof of Concept contract DelegatecallInLoop is Multicall...