Berlin-l21,berlin-l21hn,berlin-l22,berlin-l22hn,berlin-l23,berlin-l24hn,frd-l02,frd-l04,frd-l09,frd-l14,frd-l19, Security Vulnerabilities

Permits may be reused after token upgrade

Lines of code https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/its/token-implementations/ERC20Permit.sol#L44-L48 Vulnerability details Impact The StandardizedToken contract inherits the ERC20Permit contract which in the case of an...

Using supportsERC165InterfaceUnchecked() might break LSP functionality for certain contracts

Lines of code Vulnerability details Bug Description Throughout the codebase, the protocol uses the supportsERC165InterfaceUnchecked() function from Openzeppelin's ERC165Checker.sol to check for the support of ERC-165 interface IDs. However, supportsERC165InterfaceUnchecked() only checks if the...

CVE-2023-37272

JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch...

CVE-2023-37272

JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch...

CVE-2023-37272

JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch...

Design/Logic Flaw

JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch...

CVE-2023-37272 XSS vulnerability in JOC Cockpit branch 1.13

JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch...

Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders

Gergana Karadzhova-Dangela is used to being with users during some of their toughest moments. Today, she spends much of her time responding to active cybersecurity incidents with Cisco Talos Incident Response, helping customers work through active attacks, many of which put personal data or...

Wherever possible, _safeMint() should be used rather than _mint()

Lines of code Vulnerability details Impact _mint() is not recommended in favour of _safeMint(), which guarantees that the recipient is either an EOA. Proof of Concept, https://github.com/code-423n4/2023-07-basin/blob/main/mocks/tokens/MockTokenFeeOnTransfer.sol#L27,...

Memory corruption in getBytes32FromBytes() can likely lead to loss of funds

Lines of code Vulnerability details Description The LibBytes library is used to read and store uint128 types compactly for Well functions. The function getBytes32FromBytes() will fetch a specific index as bytes32. /** * @dev Read the ith 32-byte chunk from data. */ function...

Possible Front Running on the Permit function

Lines of code Vulnerability details Impact It could cause damage to third parties who use the permit method for transferring the tokens. Proof of Concept The well contract extends the ERC20Permit.sol, which contains a permit function that allow users to transfer assets with signatures. /** * @dev.....

Introduction to SELinux

At GitHub Security Lab, our main mission is helping secure the open source software we all rely on. While securing applications themselves is important, one of the best ways developers and system administrators can ensure the security of their systems is to create multiple layers of privilege....

Flashloan/onFlashLoan() does not comply eip-3156

Lines of code https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/token/PeUSDMainnetStableVision.sol#L129-L139...

CVE-2023-2290

A potential vulnerability in the LenovoFlashDeviceInterface SMI handler may allow an attacker with local access and elevated privileges to execute arbitrary...

Mitsubishi Electric MELSEC iQ-F Series (Update A)

EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric --------- Begin Update A Part 1 of 4 --------- Equipment: MELSEC iQ-F, iQ-R, Q, and L series --------- Begin Update A Part 1 of 4 --------- Vulnerability: Plaintext Storage of...

endodontie-berlin-mitte.de Cross Site Scripting vulnerability OBB-3405983

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged...

CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged...

CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged...

Aunction DOS

Lines of code https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L38 https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L48-L50...

Problem with Day values

Lines of code https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/Auction.sol#L22 Vulnerability details Impact Detailed description of the impact of this finding. In solidity, block.timestamp makes use of seconds in calculating time but in the...

CVE-2023-27706

Bitwarden Windows desktop application versions prior to v2023.4.0 store biometric keys in Windows Credential Manager, accessible to other local unprivileged...

pause/unpause functionnalities not implemented in many pausable contracts

Lines of code https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L14 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L17 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/OperatorRewardsCollector.sol#L16 Vulnerability...

Recipient address is not appropriately validated or sanitized in the BaseFeeVault contract (loss of funds)

Lines of code Vulnerability details Impact If the recipient address is not properly validated, an attacker could supply a malicious address as the recipient. This could result in the accumulated fees being sent to an unintended or unauthorized party. It could lead to financial loss or disruption...

The utilization of a hardcoded time value is incorrect when deployed to blockchains other than Ethereum

Lines of code https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L26 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/StaderOracle.sol#L70-L73 https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L22 [Vulnerability details...

berlin-alperen.de Cross Site Scripting vulnerability OBB-3404107

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

berlin-hotels.org Cross Site Scripting vulnerability OBB-3384305

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

berlin-housekeeping.de Cross Site Scripting vulnerability OBB-3381334

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

In Lima, a malicious disk image could read a single file on the host filesystem as a qcow2/vmdk backing file

Note The official templates of Lima, and the well-known third party products (Colima, Rancher Desktop, and Finch) are unlikely to be affected by this issue. Impact A virtual machine instance with a malicious disk image could read a single file on the host filesystem, even when no filesystem is...

In Lima, a malicious disk image could read a single file on the host filesystem as a qcow2/vmdk backing file

Note The official templates of Lima, and the well-known third party products (Colima, Rancher Desktop, and Finch) are unlikely to be affected by this issue. Impact A virtual machine instance with a malicious disk image could read a single file on the host filesystem, even when no filesystem is...

Cross-Site Scripting (XSS)

moodle/moodle is vulnerable to Cross-Site Scripting (XSS). The vulnerability is due to a lack of sanitization in the Header and Footer parameter in settings.php which allows an attacker to inject and execute arbitrary JavaScript into the...

Wekan 6.74 Cross Site Scripting

...

EntropyReducer - Reduce Entropy And Obfuscate Youre Payload With Serialized Linked Lists

EntropyReducer: Reduce The Entropy Of Youre Payload And Obfuscate It With Serialized Linked Lists How Does It Work EntropyReducer algorithm is determined by BUFF_SIZE and NULL_BYTES values. The following is how would EntropyReducer organize your payload if BUFF_SIZE was set to 4, and NULL_BYTES to....

kiwitcms vulnerable to stored XSS via unrestricted files upload

Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded, see GHSA-fwcf-753v-fgcj and Content-Security-Policy definition to prevent...

kiwitcms vulnerable to stored XSS via unrestricted files upload

Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded, see GHSA-fwcf-753v-fgcj and Content-Security-Policy definition to prevent...

Introducing: ‘Saved Filters’ in InsightCloudSec

Last year, when we launched Layered Context in InsightCloudSec, we knew we had something great on our hands. Not just because we provided a single view for cloud security practitioners to see their full cloud risk posture (though, if we do say so ourselves, that’s pretty sweet). No, we knew we had....

Wrong WhitePaperInterestRateModel block per year calculations incur losses for users and the protocol

Lines of code https://github.com/code-423n4/2023-05-venus/blob/main/contracts/WhitePaperInterestRateModel.sol#L17 Vulnerability details Vulnerability Details Blocks per year calculations in WhitePaperInterestRateModel improperly assume 15 seconds block time, while on Binance Smart Chain it’s ~3...

Wrong blocksPerYear calculation in WhitePaperInterestRateModel.sol

Lines of code Vulnerability details Impact In WhitePaperInterestRateModel.sol, File: contracts/WhitePaperInterestRateModel.sol 17 uint256 public constant blocksPerYear = 2102400; There is wrong calculation of blocksPerYear and blocksPerYear is the approximate number of blocks per year that is...

Wrong blocksPerYear in WhitePaperInterestRateModel

Lines of code https://github.com/code-423n4/2023-05-venus/blob/main/contracts/BaseJumpRateModelV2.sol#L23 Vulnerability details Impact Venus is deployed on BNB Chain instead of Ethereum. Their block times are different. And WhitePaperInterestRateModel.sol is modified from compound. Therefore,...

Extraordinary proposal can become stuck

Lines of code Vulnerability details Since standard and extraordinary proposals use the same treasury funds accounting variables and extraordinary voting period is long enough (1 month), it is possible that extraordinary proposal that was valid and gained enough votes will end up frozen: it might...

m.static Directory Traversal vulnerability

All versions of the package m.static are vulnerable to Directory Traversal due to improper input sanitization of the path being requested via the requestFile...

m.static Directory Traversal vulnerability

All versions of the package m.static are vulnerable to Directory Traversal due to improper input sanitization of the path being requested via the requestFile...

Upgraded Q -> 2 from #298 [1683710120837]

Judge has assessed an item in Issue #298 as 2 risk. The relevant finding follows: [L-03] Redundant and dangerous len parameter in readKeyValue Links Impact If the len is not set to input.length minus the offset, there may be unpredictable results due how the algorithm works. Proof of Concept Let's....

Upgraded Q -> 2 from #49 [1683711080406]

Judge has assessed an item in Issue #49 as 2 risk. The relevant finding follows: QA10. readKeyValue() fails to enforce the constraint offset+len<=input.length. As a result, the key-value pair might be read from dirty memory area that is beyond the memory range of input and thus could be wrong......

StrategyBase.sharesToUnderlying() cannot be overridden to intended mutability

Lines of code Vulnerability details Impact An implementation of sharesToUnderlying(), as inherited from StrategyBase.sol, cannot (contrary to intentions) make state modifications. This implies that StrategyBase.sol may become useless as a base contract to inherit from. Proof of Concept...

StrategyBase.underlyingToShares() cannot be overridden to intended mutability

Lines of code Vulnerability details Impact An implementation of underlyingToShares(), as inherited from StrategyBase.sol, cannot (contrary to intentions) make state modifications. This implies that StrategyBase.sol may become useless as a base contract to inherit from. Proof of Concept...

Databricks Platform Cluster Isolation Bypass

...

berlin-laeuft.de Cross Site Scripting vulnerability OBB-3288463

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

berlin-international-school.de Cross Site Scripting vulnerability OBB-3288460

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

If a label for a domain gets locked once, the domain will never be able to be claimed in DNSRegistrar.sol, since there's no method to unlock a label

Lines of code https://github.com/code-423n4/2023-04-ens/blob/main/contracts/root/Root.sol#L22-L28 https://github.com/code-423n4/2023-04-ens/blob/main/contracts/root/Root.sol#L34-L37 Vulnerability details Proof of Concept When claiming a domain in DNSRegistrar.sol (either through proveAndClaim() or....