微信打赏（Wechat Reward) Security Vulnerabilities

ConvexMasterChef's deposit and withdraw can be reentered drawing all reward funds from the contract if reward token allows for transfer flow control

Lines of code https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ConvexMasterChef.sol#L239-L250 Vulnerability details Reward token accounting update in deposit() and withdraw() happens after reward transfer. If reward token.....

Netnifty Nebula web anti-tampering system has a logic flaw vulnerability

Beijing Netnifty Information Technology Company is a leading enterprise in the domestic information security industry, specializing in the research and development, production and sales of information security products, providing hierarchical overall security solutions and security professional...

Re-entrancy on BaseRewardPool.getReward()

Lines of code Vulnerability details See @audit-info tags: File: BaseRewardPool.sol 280: /** 281: * @dev Gives a staker their rewards, with the option of claiming extra rewards 282: * @param _account Account for which to claim 283: * @param _claimExtras Get the child rewards...

Beijing Netnifty Nebula Information Technology Co., Ltd. webpage anti-tampering system has a logic flaw vulnerability

Beijing Netnifty Information Technology Company is a leading enterprise in the domestic information security industry, specializing in the research and development, production and sales of information security products, providing hierarchical overall security solutions and security professional...

ThinkAdmin insecure unserialize vulnerability

An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.phpand app/wechat/controller/api/Push.php, which may lead to arbitrary remote code...

ThinkAdmin insecure unserialize vulnerability

An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.phpand app/wechat/controller/api/Push.php, which may lead to arbitrary remote code...

General Motors suffers credential stuffing attack

American car manufacturer General Motors (GM) says it experienced a credential stuffing attack last month. During the attack customer information and reward points were stolen. The subject of the attack was an online platform, run by GM, to help owners of Chevrolet, Buick, GMC, and Cadillac...

Conti Ransomware Operation Shut Down After Splitting into Smaller Groups

Even as the operators of Conti threatened to overthrow the Costa Rican government, the notorious cybercrime gang officially took down its attack infrastructure in favor of migrating their malicious cyber activities to other ancillary operations, including Karakurt and BlackByte. "From the...

Reward may be locked forever if user doesn't claim reward for a very long time such that too many epochs have been passed

Lines of code https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L334-L337 Vulnerability details Impact Reward may be locked forever if user doesn't claim reward for a very long time such that too many epochs have been passed. The...

File upload vulnerability exists in the security management system of Centrin JingYun terminal of Beijing Centrin Link Information Technology Co.

Ltd. is a company whose business scope includes Internet information services; technology development, technology services, technology transfer, technology consulting, etc. Beijing Centrin Link Information Technology Co., Ltd. Centrin King Cloud Terminal Security Management System has a file...

Integer overflow will lock all rewards in AuraLocker

Lines of code https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L802-L814 https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L864 Vulnerability details Impact There is a...

Multi Store Inventory Management System信息泄露漏洞

Multi Store Inventory Management System is a multi-store inventory management system. version 1.0 of Multi Store Inventory Management System contains an information disclosure vulnerability that could be exploited by attackers to access sensitive...

Eight years of the GitHub Security Bug Bounty program

GitHub celebrated yet another record breaking year for our Security Bug Bounty Program in 2021! We’re excited to announce that we recently passed $2,000,000 in total payments to researchers, just two years after we crossed the $1,000,000 mark in 2019. Within the last year, we have paid out over...

Users may lose rewards to other users if rewards are given as fee-on-transfer tokens

Lines of code Vulnerability details Impact If rewards are given in fee-on-transfer tokens, users may get no rewards, breaking functionality Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or :::leak value with a hypothetical attack path with.....

Users can grief reward distribution

Lines of code Vulnerability details Impact Users can grief reward distributions by spending dust Proof of Concept If a reward is targeted for an epoch in the past, a user can front-run the txn in the mempool and call addRewardToEpoch() with a dust amount at an epoch after the one in question. This....

AuraBalRewardPool charges a penalty to all users in the pool if the AuraLocker has been shut down

Lines of code Vulnerability details Impact Users are charged the penalty due to admin actions, and they have no way to avoid it Proof of Concept When claiming their rewards, users are charged a penalty if they take the reward directly, rather than by passing it into the auraLocker. Those are the...

AuraLocker kick reward only takes last locked amount into consideration, instead of whole balance

Lines of code Vulnerability details The issue occurs in AuraLocker, when expired locks are processed via kicking, and if all the user locks have expired. In this scenario, to calculate the kick reward, processExpiredLocks multiplies the last locked amount by the number of epochs between the last...

Exploit for CVE-2022-22916

CVE-2022-22916 CVE-2022-22916,O2OA RCE 远程命令执行 O2OA RCE...

ConvexMasterChef: When _lpToken is duplicated, reward calculation is incorrect

Lines of code Vulnerability details Impact Same as IDX-002 in https://public-stg.inspex.co/report/Inspex_AUDIT2021024_LuckyLion_Farm_FullReport_v2.0.pdf In the ConvexMasterChef contract, a new staking pool can be added using the add() function. The staking token for the new pool is defined using...

ConvexMasterChef: When _lpToken is cvx, reward calculation is incorrect

Lines of code Vulnerability details Impact In the ConvexMasterChef contract, a new staking pool can be added using the add() function. The staking token for the new pool is defined using the _lpToken variable. However, there is no additional checking whether the _lpToken is the same as the reward.....

Lenovo Personal Cloud Storage信息泄露漏洞

Lenovo Personal Cloud Storage is a cloud storage platform from Lenovo, a Chinese company. Lenovo Personal Cloud Storage is vulnerable to information disclosure, which could be exploited by attackers to retrieve device and network...

Exploit for Expression Language Injection in Vmware Spring Cloud Gateway

一、Spring Cloud Gateway远程代码执行漏洞 危害等级：高危 POC/EXP情况：已公开...

Jenkins Mercurial Plugin信息泄露漏洞

Jenkins and Jenkins Plugin are both open source Jenkins products. Jenkins is an application. An open source automation server, Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is an application.An information disclosure vulnerability...

Jenkins Pipeline SCM API for Blue Ocean Plugin信息泄露漏洞

Jenkins and Jenkins Plugin are both Jenkins open source products. jenkins is an application. Jenkins is an open source automation server that provides hundreds of plugins to support building, deploying, and automating any project. The vulnerability can be exploited to access arbitrary user...

IBM Spectrum Protect Operations Center信息泄露漏洞（CNVD-2022-48933）

IBM Spectrum Protect Operations Center, an IBM company, provides visual control of the IBM Spectrum Protect environment. IBM Spectrum Protect Operations Center versions 8.1.12 and 8.1.13 are vulnerable to information disclosure vulnerability, which stems from the fact that account passwords may be....

Aruba ClearPass Policy Manager信息泄露漏洞

Aruba ClearPass Policy Manager is an application from Aruba, Inc. that provides a secure access management system for wireless networks. an information disclosure vulnerability exists in Aruba ClearPass Policy Manager, which can be exploited by attackers to cause information...

U.S. Warns Against North Korean Hackers Posing as IT Freelancers

Highly skilled software and mobile app developers from the Democratic People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in hopes of landing freelance employment in an attempt to enable the regime's malicious cyber intrusions. That's according to a joint advisory from the U.S....

Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government

The notorious Conti ransomware gang, which last month staged an attack on Costa Rican administrative systems, has threatened to "overthrow" the new government of the country. "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and...

8 Ways to Avoid CISO Burnout

Times have changed In recent years the job of Chief Information Security Officer (CISO) has become more and more frenetic and involved. Already stretched CISOs have the added responsibilities of employee management in a time of a global pandemic, staff retention when priorities have changed and...

Fake Clickjacking Bug Bounty Reports: The Key Facts

Are you aware of fake clickjacking bug bounty reports? If not, you should be. This article will get you up to speed and help you to stay alert. What are clickjacking bug bounty reports? If we start by breaking up the term into its component parts, a bug bounty is a program offered by an...

InHand Networks InRouter302信息泄露漏洞

InHand Networks InRouter Series is a series of routers from InHand Networks, Inc. An information disclosure vulnerability exists in InHand Networks InRouter302 V3.5.4, which stems from the lack of effective protection of data by the router's configuration export feature. An attacker could exploit.....

ConvexCurveLPVault's _transferYield can become stuck with zero reward transfer

Lines of code Vulnerability details Now there are no checks for the amounts to be transferred via _transferYield and _processTreasury. As reward token list is external and an arbitrary token can end up there, in the case when such token doesn't allow for zero amount transfers, the reward retrieval....

YieldManager: Uniswap token swaps through fixed path may break yield distribution

Lines of code https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/YieldManager.sol#L179-L186 https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/YieldManager.sol#L48...

Title: Yield can be unfairly divided because of MEV/Just-in-time stablecoin deposits

Lines of code https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/YieldManager.sol#L160-L161 Vulnerability details Impact An attacker can use MEV (via gas auction or Flashbots or control of miners) to cause an unfair division of yield. By providing a very large (relative to the.....

processYield() and distributeYield() may run out of gas and revert due to long list of extra rewards/yields

Lines of code https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/YieldManager.sol#L129-L136 Vulnerability details Impact Yields will not be able to be distributed to lenders because attempts to do so will revert Proof of Concept The...

User can forfeit other user rewards

Lines of code Vulnerability details Impact User can forfeit other user rewards by giving a higher _startIndex in getReward function Proof of Concept Assume User B has not received any reward yet so that his userClaims[_token][User B]=0 User A calls getReward function with _account as User B and...

Reward Manager of the Convex Base Reward Pool Can DoS processYield()

Lines of code Vulnerability details Impact The ConvexCurveLPVault.sol contract allows users to earn a yield on curve token deposits. Rewards are paid out in native CRV and CVX tokens but the reward manager of the base pool may opt to add extra rewards. Because the reward manager has the ability to....

Users Can Game Yield Distributions

Lines of code Vulnerability details Impact processYield() restricts who can call this function to just the vault admin. Upon being processed, the treasury receives its fair share of the yield and the rest is transferred to the YieldManager.sol contract. To distribute yield, the manager calls...

WeChat Pay Java SDK allows XXE

WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification...

WeChat Pay Java SDK allows XXE

WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification...

XML External Entity Reference in weixin-java-tools

An issue was discovered in weixin-java-tools. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for...

XML External Entity Reference in weixin-java-tools

An issue was discovered in weixin-java-tools. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file. NOTE: this issue exists because of an incomplete fix for...

Command Execution Vulnerability in JingYun Terminal Security Management System of Beijing Centron Link Information Technology Co.

Ltd. was established in July 2016, by Beijing Qixingchen Information Security Technology Co., Ltd., Beijing Beixinyuan Software Co., Ltd., Beijing Zhengyong Information Technology Co. Beijing Centron Lead Information Technology Co., Ltd. Jing cloud terminal security management system there is a...

SQL Injection Vulnerability in Centron View Cloud Terminal Security Management System

Centrin JingYun Terminal Security Management System is an enterprise-level network anti-virus system developed by Beijing Centrin Link Information Technology Co. There is a SQL injection vulnerability in CentronView Cloud Terminal Security Management System, which can be exploited by attackers to.....

Arbitrary File Download Vulnerability in Centron View Cloud Terminal Security Management System

CentronView Terminal Security Management System is an enterprise-level network anti-virus system developed by Beijing CentronView Information Technology Co. There is an arbitrary file download vulnerability in CentronView Cloud Terminal Security Management System, which can be exploited by...

Logic flaw vulnerability in the security management system of Centron View cloud terminal

CentronView Terminal Security Management System is an enterprise-level network anti-virus system developed by Beijing CentronView Information Technology Co. There is a logic flaw vulnerability in the Centron View Cloud Terminal Security Management System, which can be exploited by attackers to...

IBM Robotic Process Automation信息泄露漏洞

IBM Robotic Process Automation is a robotic process automation product from IBM Corporation. It helps you automate more business and IT processes at scale with the ease and speed of traditional RPA. IBM Robotic Process Automation version 21.0.1 is vulnerable to an information disclosure...

Conti Ransomware Attack Spurs State of Emergency in Costa Rica

Costa Rican President Rodrigo Chaves declared a state of national cybersecurity emergency over the weekend following a financially motivated Conti ransomware attack against his administration that has hamstrung the government and economy of the Latin American nation. The attack—attributed to the...

Costa Rica continues defence against sustained Conti ransomware attacks

It's not been plain sailing recently for Conti ransomware, the Ransomware as a Service (RaaS) group with several major attacks under its belt. In August last year, a pen tester leaked valuable manuals and documents related to the operation. These leaks continued as the Conti gang expressed support....

U.S. Offering $10 Million Reward for Information on Conti Ransomware Hackers

The U.S. State Department has announced rewards of up to $10 million for any information leading to the identification of key individuals who are part of the infamous Conti cybercrime gang. Additionally, it's offering another $5 million for intelligence information that could help arrest or...