Berlin-l21,berlin-l21hn,berlin-l22,berlin-l22hn,berlin-l23,berlin-l24hn,frd-l02,frd-l04,frd-l09,frd-l14,frd-l19, Security Vulnerabilities

Missing important check in getOwnerAddress() function in DNSClaimChecker.sol

Lines of code Vulnerability details Impact getOwnerAddress() function used in DNSClaimChecker.sol is missing important check on the type and class of the records. Also this getOwnerAddress() function is used in DNSRegistar.sol _claim function to claim a name using the given proofs Since there are.....

BytesUtils.keccak does not revert when offset is out of bounds

Lines of code Vulnerability details Impact The BytesUtils.keccak function accepts out of bound offset value and returns a valid response without reverting. function keccak( bytes memory self, uint256 offset, uint256 len ) internal pure returns (bytes32 ret)...

SHA1Digest Contract Vulnerability

Lines of code Vulnerability details Impact The vulnerability is related to the use of the SHA1 hashing algorithm in the SHA1Digest contract. SHA1 is an outdated cryptographic hash function that has been deprecated by most security experts due to its weaknesses and susceptibility to collision...

Timing Attack

github.com/iofinnet/thresh, github.com/thorchain/thorchain-tss and github.com/bnb-chain/tss-lib are vulnerable to Timing Attacks. The vulnerability exists due to a timing side-channel attack because it relies on the scalar-multiplication implementation in Go crypto/elliptic which allows an...

From integer Overflow to DoS attack that leads to financial losses in ModexpPrecompile.modexp function and RSAVerify library.

Lines of code https://github.com/code-423n4/2023-04-ens/blob/main/contracts/dnssec-oracle/algorithms/ModexpPrecompile.sol#L7 Vulnerability details Impact This vulnerability to cause unexpected behavior or even a denial-of-service attack on a contract that uses the RSAVerify library on...

CSRF bypass

Description URL parsing with Qwik uses the new URL(a, b) constructor. A little-known fact about this constructor is that if an attacker controls a they have complete control of the finally resolved URL. For example: const url = new URL(attacker_value, "http://localhost") By entering //test.com,...

Position.sol: usage of an incorrect version of Ownable library can potentially malfunction all onlyOwner functions

Lines of code Vulnerability details Impact // From https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable.sol The current implementaion is using a non-upgradeable version of the Ownable library isnstead of the upgradeable version:...

Signature malleability for S

Lines of code Vulnerability details Impact Ethereum contracts often assumes that the signature is unique, but signatures can be altered without the possession of the private key and still be valid. The EVM specification defines several so-called ‘precompiled’ contracts one of them being ecrecover.....

VetoProposal#voteToVeto can be called repeatedly by same voter and be used to lock party

Lines of code Vulnerability details Impact Party can be locked due to not being able to pass and proposals Proof of Concept VetoProposal.sol#L37-L59 uint96 votingPower = party.getVotingPowerAt( msg.sender, proposalValues.proposedTime - 1, snapIndex ); uint96...

Voters can call VetoProposal.voteToVeto() as many times as they like.

Lines of code Vulnerability details Impact Each voter can veto a proposal if they want by calling voteToVeto() several times to pass the passThresholdBps. Proof of Concept Every voter shouldn't vote several times, otherwise, the voting system will be broken. But voteToVeto() doesn't check the...

CVE-2023-1874

The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a...

CVE-2023-1874

The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a...

CVE-2023-1874

The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a...

berlin-swinging-bears.de Cross Site Scripting vulnerability OBB-3258568

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

aegyptisches-museum-berlin-verein.de Cross Site Scripting vulnerability OBB-3258277

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

endodontie-berlin-mitte.de Cross Site Scripting vulnerability OBB-3256793

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

berlin-shuttle.de Cross Site Scripting vulnerability OBB-3255992

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

berlin-housekeeping.de Cross Site Scripting vulnerability OBB-3255990

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

berlin-en-ligne.de Cross Site Scripting vulnerability OBB-3253612

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

CollectionBatchBuyOperator.sol: tokenIds array is not shortened properly which makes execute function revert when not all NFTs are purchased successfully

Lines of code Vulnerability details Impact The CollectionBatchBuyOperator contract allows parties to buy NFTs through proposals. The proposal specifies an nftContract and token IDs (via the nftTokenIdsMerkleRoot parameter) that can be bought. Allowed executors can then execute the actual purchase.....

OperatorProposal.sol: Leftover ETH is not refunded to the msg.sender

Lines of code Vulnerability details Impact The OperatorProposal contract is a type of proposal that allows to execute operations on contracts that implement the IOperator interface. Upon execution of the proposal it might be necessary that the executor provides ETH. This is true especially when...

VetoProposal: proposals cannot be vetoed in all states in which it should be possible to veto proposals

Lines of code Vulnerability details Impact The VetoProposal contract allows to veto proposals with the voteToVeto function. The proposal can only be vetoed when it is in the Voting state, otherwise the voteToVeto function reverts. The issue is that the Voting state is not the only state in which...

VetoProposal: user can veto multiple times so every proposal can be votoed by any user that has a small amount of votes

Lines of code Vulnerability details Impact The VetoProposal contract allows to veto proposals with the voteToVeto function. When the amount of votes collected to veto a proposal exceeds a certain threshold (the passThresholdBps, which is determined upon initialization of the party), the proposal...

CVE-2023-28853

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection...

CVE-2023-28853

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection...

CVE-2023-28853

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection...

CVE-2023-28853 Mastodon's blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection...

berlin-tourismus.de Cross Site Scripting vulnerability OBB-3244619

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

berlin-visavis.de Cross Site Scripting vulnerability OBB-3242504

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

MiniDVBLinux 5.4 - Change Root Password

...

Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series Improper Resource Shutdown or Release (CVE-2022-33324)

Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU Firmware versions 32 and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions 65 and prior, Mitsubishi Electric Corporation MELSEC...

KangarooVault.initiateDeposit, KangarooVault.processDepositQueue, KangarooVault.initiateWithdrawal, and KangarooVault.processWithdrawalQueue functions do not use whenNotPaused modifier

Lines of code https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L183 https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L243 https://github.com/code-423n4/2023-03-polynomial/blob/main/src/KangarooVault.sol#L215...

Profile Picture: Address Registry should maintain storage between consecutive deploys

Lines of code https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-pfp-protocol/src/ProfilePicture.sol#L101 https://github.com/code-423n4/2023-03-canto-identity/blob/main/canto-identity-protocol/src/CidNFT.sol#L432 Vulnerability details [H-01] Profile Picture: Address Registry...

The call to MsgValueSimulator with non zero msg.value will call to sender itself which will bypass the onlySelf check

Lines of code Vulnerability details Impact First, I need to clarify, there may be more serious ways to exploit this issue. Due to the lack of time and documents, I cannot complete further exploit. The current exploit has only achieved the impact in the title. I will expand the possibility of...

EVM Elliptic Curve Recovery Discrepancy

Lines of code Vulnerability details Impact The Ecrecover.yul file meant to simulate the ecrecover mechanism as executed by traditional ETH 1.0 consensus mechanisms is incorrect. In detail, it does not conform to the "Homestead" update which introduced an upper-bound check for s values of an (r, s,....

Unsafe safeTransfer function

Lines of code https://github.com/code-423n4/2023-03-zksync//blob/main/contracts/openzeppelin/token/ERC20/utils/SafeERC20.sol#L22 Vulnerability details Impact The safeTransfer function of the SafeERC20.sol contract check that the target is actually a contract before calling it, this is to avoid...

Users pay excessive gas cost for sending bytecode hashes to L1

Lines of code Vulnerability details Impact When deploying new contracts, users are forced to pay more gas than is required to publish the bytecode hash to the L1. Proof of Concept When users deploy new smart contracts, the protocol marks the hashes of the bytecodes of the contracts as known and...

DefaultAccount will add system call flag to any call with msg.value

Lines of code https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/libraries/EfficientCall.sol#L134-L145 https://github.com/code-423n4/2023-03-zksync/blob/main/contracts/MsgValueSimulator.sol#L22-L29...

Threat Source newsletter (March 9, 2023) — Stop freaking out about ChatGPT

Welcome to this week's edition of the Threat Source newsletter. There is no shortage of hyperbolic headlines about ChatGPT out there, everything from how it and other AI tools like it are here to replace all our jobs, make college essays a thing of the past and change the face of cybersecurity as.....

If random number is too low, the lottery not completely random

https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/TicketUtils.sol#L43-L76 Summary Random numbers below a certain limit will always return at least one rightmost bit, while numbers above this limit will return random bits. Explanation: The winning...

The Lottery Contract's Lack of Safeguards May Lead to Insufficient Funds for Jackpot Payouts

Lines of code Vulnerability details While it may be true that the probability of the scenario happening is low, it does not necessarily mean that the issue should not be considered valid. A low probability does not mean that the vulnerability should be ignored, especially if it can lead to a loss.....

elektriker-berlin-charlottenburg.de Cross Site Scripting vulnerability OBB-3210784

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Contract not initialized after deployment

Lines of code https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/ReaperStrategyGranarySupplyOnly.sol#L62...

ReaperBaseStrategyv4 is not Initializable

Lines of code https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Vault/contracts/ReaperStrategyGranarySupplyOnly.sol#L62...

Centralization Risk for trusted owners

Lines of code https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Core/contracts/BorrowerOperations.sol#L18 https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Core/contracts/LQTY/CommunityIssuance.sol#L14...

Command Injection

jtrussell/semver-tags is vulnerable to Command Injection The vulnerability exists due to improper user-input sanitization in the getGitTagsRemote function, which allows an attacker to execute arbitrary...

Erxes vulnerable to Cross-site Scripting

Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in all versions. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known...

Erxes vulnerable to Cross-site Scripting

Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in all versions. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known...

KUMAFeeCollector.changePayees() executes incorrectly when newPayees contains duplicate items

Lines of code Vulnerability details Impact When calling KUMAFeeCollector.changePayees() with duplicate payees in newPayees, the call is not reverted and the result state will be incorrect. Proof of Concept Contract KUMAFeeCollector does not support duplicate payees. The transaction will revert...

CVE-2021-32853

Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known...