Berlin-l21hn; Prague-al00a; Prague-al00b; Prague-al00c; Prague-l31; Prague-tl00a; Prague-tl10a Security Vulnerabilities

Improper Rate Limiting

@strapi/admin and @strapi/plugin-users-permissions vulnerable to Improper Rate Limiting. The vulnerability is due to bypassable rate limiting logic in the admin and user authentication endpoints which could theoretically allow an attacker to brute force valid username and password...

Strapi Improper Rate Limiting vulnerability

Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. 1. Manipulating request paths to upper or lower case. (Pattern 1) - In this case,...

Strapi Improper Rate Limiting vulnerability

Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. 1. Manipulating request paths to upper or lower case. (Pattern 1) - In this case,...

All the funds will be lost if the destination bridge is paused

Lines of code https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/bridge/DestinationBridge.sol#L31 Vulnerability details Impact Destination bridge is pausable, so if for a chain a destination bridge is paused, all the funds being bridged from...

prague-ticket-concert.com Cross Site Scripting vulnerability OBB-3652377

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

getPastCirculatingSupply() returns the ARB token supply instead of circulating votes supply

Lines of code Vulnerability details Bug Description In ArbitrumGovernorVotesQuorumFractionUpgradeable, the getPastCirculatingSupply() function is used when calculating quorum for proposals: ArbitrumGovernorVotesQuorumFractionUpgradeable.sol#L31-L35 /// @notice Get "circulating" votes supply;...

SecurityCouncilMemberSyncAction.perform is not exclusively can be scheduled from SecurityCouncilManager's operations

Lines of code https://github.com/ArbitrumFoundation/governance/blob/c18de53820c505fc459f766c1b224810eaeaabc5/src/security-council-mgmt/SecurityCouncilManager.sol#L420-L443 Vulnerability details Impact SecurityCouncilMemberSyncAction.perform is a crucial function that will be triggered by upgrade...

Anyone can call the perform function because there is no access control

Lines of code #L31-#L75 Vulnerability details Impact Anyone can call the perform function. It can lead to unauthorized changes in the security council. Proof of Concept There is no access control in the perform function and it is marked "external". function perform(address _securityCouncil,...

SecurityCouncilMemberSyncAction : perform function can be continually DOSed which will prevent the valid update the members of the gnosis safe

Lines of code Vulnerability details Impact The _securityCouncil update will be prevented by continuously calling the perform function. Since the function rely on the nonce value, this function can be continuously called and nonce value is updated. This would prevent the valid security council...

Anyone can change the members of Security Council

Lines of code Vulnerability details Impact Anyone can change the members of security council by calling the function perform in the contract SecurityCouncilMemberSyncAction.sol as the function is open to all. Proof of Concept uint256 updateNonce = getUpdateNonce(_securityCouncil); if...

Anyone can become owner of GnosisSafe(securityCouncil) contracts

Lines of code Vulnerability details Impact Member roles in SecurityCouncilManager contract can change owners of GnosisSafe(securityCouncil) contracts by schedulinig a perform call to ArbitrumTimelock contract. However the contract that handles updating owners(security council members) with perform....

Risk of Incorrect Collateral Pricing in Case of Aggregator Reaching minAnswer

Lines of code Vulnerability details Impact Chainlink aggregators have a built-in circuit breaker to prevent the price of an asset from deviating outside a predefined price range. This circuit breaker may cause the oracle to persistently return the minPrice instead of the actual asset price in the.....

FollowNFT storage collision

Lines of code Vulnerability details Impact The _lastFollowTokenId of FollowNFT contract has a storage collision. V2.0 storage layout: | _lastFollowTokenId | uint128 | 17 | 0 | 16 | contracts/FollowNFT.sol:FollowNFT | |...

Reentrancy Vulnerability in MErc20Delegate.sol

Lines of code Vulnerability details Impact The fallback function delegates calls to the implementation contract using delegatecall. This allows the implementation contract to call back into MErc20Delegate before the original delegatecall completes. An attacker could exploit this vulnerability to...

Collateralization ratio manipulation can cause a denial of service

Lines of code Vulnerability details Impact Stablecoin redeeming and profit accruing in the SavingsVest contract can be blocked when the collateralization ratio has overflown. Proof of Concept The mitigation recommended in #31 and implemented by the sponsor in this commit doesn't resolve the root...

Users with DEPLOY permission can grief each other through CREATE2

Lines of code Vulnerability details Bug Description In ERC725XCore.sol, the _deployCreate2() function uses Openzeppelin's Create2.deploy() to deploy new contracts: ERC725XCore.sol#L253-L267 function _deployCreate2( uint256 value, bytes memory creationCode ) internal virtual...

In VirtualAccount.sol.withdrawERC20(), Transaction revert if the Token does not support 0 value transfer

Lines of code Vulnerability details Impact In VirtualAccount.sol.withdrawERC20(), Transaction revert if the Token does not support 0 value transfer when transferring tokens to recipient address. File: src/ulysses-omnichain/VirtualAccount.sol 31 function withdrawERC20(address _token, uint256...

Metasploit Weekly Wrap-Up

Nothing but .NET? Smashery continues to… smash it by updating our .NET assembly execution module. The original module allowed users to run a .NET exe as a thread within a process they created on a remote host. Smashery’s improvements let users run the executable within a thread of the process...

prague-guide.fr Cross Site Scripting vulnerability OBB-3476584

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Default coin spend limit was set wrong for ETH

Lines of code https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/coinswap/types/params.go#L31-L35 Vulnerability details Impact It is stated in the README that some spend limit are configured for the swaps. This is a security precaution to avoid spending too much tokens for the default 4....

Canto pool could be drained.

Lines of code Vulnerability details Impact It was written that there a limit for 10 USDC /10 USDT /0.01 ETH, which currently equals to 10 USDT/ 10 USDC/ 18 USDT almost. These limits are for 4 Canto. Which means code accepts the Canto price at max: 2,5 USDC or equavalent. It is also written in the.....

CVE-2023-2189

The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggle_widget function in versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with...

CVE-2023-2189

The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggle_widget function in versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with...

CVE-2023-1807

The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.3. This is due to missing or incorrect nonce validation on the toggle_widget function. This makes it possible for unauthenticated attackers...

CVE-2023-1807

The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.3. This is due to missing or incorrect nonce validation on the toggle_widget function. This makes it possible for unauthenticated attackers...

CVE-2023-1807

The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.3. This is due to missing or incorrect nonce validation on the toggle_widget function. This makes it possible for unauthenticated attackers...

CVE-2023-2189

The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggle_widget function in versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with...

The _poolId and _id values are not within the expected range and not performing appropriate bounds checking in the VAULTPROXY contract

Lines of code Vulnerability details Impact When the _poolId and _id values are not within the expected range and appropriate bounds checking is not performed in the contract, it can result in high risk and vulnerabilities. Here are some potential risks and vulnerabilities that can arise: Invalid...

Position ownership could be transferred to zero address

Lines of code Vulnerability details Impact Ownership of a Position could be transferred to zero address. This is usually caused by mistake but the consequence is loss of collateral. Proof of Concept The position owner calls transferOwnership but accidentally set newOwner address to 0x0. Tools Used....

Lack of zero address check throughout the codebase could lead to unwanted redeployments, address(0) ownership and onTokenTransfer unsuccessful.

Lines of code https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/MintingHub.sol#L54-L57 https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/MintingHub.sol#L124...

Arbitrary File Upload

yuan1994/tpadmin is vulnerable to Arbitrary File Upload. The vulnerability exists because the library does not properly validate files uploaded in Upload.php, allowing an attacker to bypass the file upload restrictions and take over server...

prague-trade.cz Cross Site Scripting vulnerability OBB-3261808

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

WordPress Watu Quiz <3.3.9.1 - Cross-Site Scripting

WordPress Watu Quiz plugin before 3.3.9.1 is susceptible to cross-site scripting. The plugin does not sanitize and escape some parameters, such as email, dn, date, and points, before outputting then back in a page. An attacker can inject arbitrary script in the browser of an unsuspecting user in...

A user can mint a PFP NFT multiple times using the same _nftId

Lines of code Vulnerability details Impact A user might unintentionally "intentionally" try to take advantage of the mint() function in ProfilePicture.sol Proof of Concept The pfp mapping stores the pfp data per NFT, L31-32 of Profilepicture.sol /// @notice Stores the pfp data per NFT...

[bootloader] A bytecode hash without the bytecode (preimage) can be marked as known, breaking the prover

Lines of code Vulnerability details This is a report of a finding in bootloader.yul. While the file is out of scope of the contest, the sponsor stated that they would still accept findings in the file and would judge them separately from the contest. Impact A bytecode hash for which the bytecode...

Users pay excessive gas cost for sending bytecode hashes to L1

Lines of code Vulnerability details Impact When deploying new contracts, users are forced to pay more gas than is required to publish the bytecode hash to the L1. Proof of Concept When users deploy new smart contracts, the protocol marks the hashes of the bytecodes of the contracts as known and...

prague-ticket-concert.com Cross Site Scripting vulnerability OBB-3225115

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

A malicious actor can create a non malicious plugin, but then simply change the implementation of the plugin repo, allowing him to change the logic and create malicious plugins

Lines of code https://github.com/code-423n4/2023-03-aragon/blob/4db573870aa4e1f40a3381cdd4ec006222e471fe/packages/contracts/src/framework/plugin/repo/PluginRepoFactory.sol#L122 Vulnerability details Impact Detailed description of the impact of this finding. Any developer can create their plugin...

CVE-2023-0968

The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’, 'email', 'points', and 'date' parameters in versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2023-0968

The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’, 'email', 'points', and 'date' parameters in versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2023-0968

The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’, 'email', 'points', and 'date' parameters in versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

GitHub Security Lab audited DataHub: Here&#8217;s what they found

At GitHub, we really care about open source security and love to help maintainers to secure their code. That is indeed the mission of the GitHub Security Lab. As users of open source software (OSS), we also love to contribute back to the community by helping improve the security posture of the OSS....

Inadequate Maximum Orders Value in Determining Minimum Buy Amount Per Order

Lines of code Vulnerability details Impact The MAX_ORDERS constant is defined as a uint96, which has a maximum value of 2^96-1. This means that the maximum number of orders that the contract is able to handle is 2^96-1. However, if the number of orders exceeds this maximum value, the calculation...

prague-ticket-concert.com Cross Site Scripting vulnerability OBB-3103858

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

depositAndTrade::exactInputSingleParams the possible return values not checked

Lines of code Vulnerability details Impact The return values ​​from _collateral.deposit() and _collateral.transferFrom() are not used. This means that the values ​​returned by those functions will not be stored or used in the code. The _swapRouter.exactInputSingle() function also likely returns no....

Overflow in BinMap can break pool

Lines of code https://github.com/code-423n4/2022-12-Stealth-Project/blob/fc8589d7d8c1d8488fd97ccc46e1ff11c8426ac2/maverick-v1/contracts/libraries/BinMap.sol#L31...

Update initializer library to prevent reentrancy during initialization

Lines of code Vulnerability details Since proxied contracts do not make use of a constructor, it's common to move constructor logic to an external initializer function, usually called initialize. It then becomes necessary to protect this initializer function so it can only be called once. The...

Missing msg.value when executing the cross-chain request

Lines of code https://github.com/pooltogether/ERC5164/blob/5647bd84f2a6d1a37f41394874d567e45a97bf48/src/ethereum-optimism/EthereumToOptimismExecutor.sol#L45 https://github.com/pooltogether/ERC5164/blob/5647bd84f2a6d1a37f41394874d567e45a97bf48/src/ethereum-polygon/EthereumToPolygonExecutor.sol#L57.....

CrossChainExecutor contracts do not update the necessary states for failing transactions.

Lines of code https://github.com/pooltogether/ERC5164/blob/5647bd84f2a6d1a37f41394874d567e45a97bf48/src/ethereum-arbitrum/EthereumToArbitrumExecutor.sol#L31-L45 Vulnerability details Impact The CrossChainExecutorArbitrum and CrossChainExecutorOptimism contracts both use CallLib library to invoke...

DoS on relayCalls when the nonce variable reach type(uint256).max

Lines of code https://github.com/pooltogether/ERC5164/blob/5647bd84f2a6d1a37f41394874d567e45a97bf48/src/ethereum-optimism/EthereumToOptimismRelayer.sol#L49-L78...