Lucene search

K

微信打赏(Wechat Reward) Security Vulnerabilities

githubexploit

6.5CVSS

6.9AI Score

0.0005EPSS

2023-10-17 08:19 AM
529
githubexploit
githubexploit

Exploit for Improper Access Control in Ruijie Rg-Ew1200G Firmware

Ruijie-RG-EW1200G CVE-2023-4169_CVE-2023-3306_CVE-2023-4415...

9.1AI Score

2023-10-16 05:08 AM
515
githubexploit
githubexploit

Exploit for Improper Authentication in Ruijienetworks Rg-Ew1200G Firmware

Ruijie-RG-EW1200G CVE-2023-4169_CVE-2023-3306_CVE-2023-4415...

8.8CVSS

8.9AI Score

0.007EPSS

2023-10-16 05:08 AM
200
githubexploit
githubexploit

Exploit for Improper Authentication in Ruijienetworks Rg-Ew1200G Firmware

Ruijie-RG-EW1200G CVE-2023-4169_CVE-2023-3306_CVE-2023-4415...

8.8CVSS

8.9AI Score

0.007EPSS

2023-10-16 05:08 AM
42
cnvd
cnvd

File Upload Vulnerability in Qixingchen Tianyue Network Security Audit System

Providence Peak Network Security Audit System is a compliance management system for fine-grained auditing of users' operations on core IT assets and servers in the network under business environment. A file upload vulnerability exists in Tianyue Network Security Audit System, which can be...

7.3AI Score

2023-10-15 12:00 AM
4
githubexploit

9.8CVSS

9.3AI Score

0.003EPSS

2023-10-12 07:39 AM
215
nvd
nvd

CVE-2023-40829

There is an interface unauthorized access vulnerability in the background of Tencent Enterprise Wechat Privatization 2.5.x and...

7.5CVSS

7.5AI Score

0.001EPSS

2023-10-12 05:15 AM
cve
cve

CVE-2023-40829

There is an interface unauthorized access vulnerability in the background of Tencent Enterprise Wechat Privatization 2.5.x and...

7.5CVSS

7.5AI Score

0.001EPSS

2023-10-12 05:15 AM
18
prion
prion

Improper access control

There is an interface unauthorized access vulnerability in the background of Tencent Enterprise Wechat Privatization 2.5.x and...

7.5CVSS

7.5AI Score

0.001EPSS

2023-10-12 05:15 AM
2
cnvd
cnvd

Command Execution Vulnerability in Tianyue Network Security Audit System of Qixingchen Information Technology Group Co. Ltd (CNVD-2023-85472)

Providence Peak Network Security Audit System is a compliance management system for fine-grained auditing of network operation behaviors in business environments. A command execution vulnerability exists in the Tianyue Network Security Audit System of Qixing Information Technology Group Co., Ltd,.....

7.9AI Score

2023-10-12 12:00 AM
8
cvelist
cvelist

CVE-2023-40829

There is an interface unauthorized access vulnerability in the background of Tencent Enterprise Wechat Privatization 2.5.x and...

7.7AI Score

0.001EPSS

2023-10-12 12:00 AM
mssecure
mssecure

Microsoft Defender for Endpoint now stops human-operated attacks on its own

Defenders need every edge they can get in the fight against ransomware. Today, we're pleased to announce that Microsoft Defender for Endpoint customers will now be able automatically to disrupt human-operated attacks like ransomware early in the kill chain without needing to deploy any other...

7.4AI Score

2023-10-11 04:00 PM
10
mmpc
mmpc

Microsoft Defender for Endpoint now stops human-operated attacks on its own

Defenders need every edge they can get in the fight against ransomware. Today, we're pleased to announce that Microsoft Defender for Endpoint customers will now be able automatically to disrupt human-operated attacks like ransomware early in the kill chain without needing to deploy any other...

7.4AI Score

2023-10-11 04:00 PM
4
githubexploit
githubexploit

Exploit for CVE-2023-38646

CVE-2023-38646...

9.8CVSS

9.7AI Score

0.901EPSS

2023-10-08 07:36 AM
118
code423n4
code423n4

ClaimConcentratedRewards and claimAmbientRewards don't update liquidity, enabling double rewards claims. Update liquidity after claims.

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L87...

6.8AI Score

2023-10-06 12:00 AM
3
code423n4
code423n4

An attacker can exploit the accruing liquidity functionality to accrue liquidity for more weeks than intended.

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L237-L253...

6.9AI Score

2023-10-06 12:00 AM
3
code423n4
code423n4

Validate poolIdx input to prevent storage corruption in critical functions.

Lines of code Vulnerability details Impact No validation on poolIdx input for key functions like claimConcentratedRewards. Could pass invalid poolId and corrupt storage. Proof of Concept The claimConcentratedRewards function. It takes in a poolIdx as one of the parameters: function...

7.2AI Score

2023-10-06 12:00 AM
2
code423n4
code423n4

Rounding error leading to no reward being sent

Lines of code https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/mixins/LiquidityMining.sol#L277-L280 Vulnerability details Impact Rounding errors could occur if the provided amount is too small, Proof of Concept...

7AI Score

2023-10-06 12:00 AM
4
code423n4
code423n4

Use of flashloan to inflate timeWeightedWeeklyGlobalAmbLiquidity_[poolIdx][currWeek] and timeWeightedWeeklyPositionAmbLiquidity_[poolIdx][posKey][currWeek]

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L245-L247 Vulnerability details Impact It is possible for a bad player to use flashloan to manipulate the system by making "valuable" LP to get....

6.9AI Score

2023-10-06 12:00 AM
code423n4
code423n4

Manipulation of Overall Liquidity Calculation

Lines of code Vulnerability details Impact in this part in code : https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L276C12-L290C2 is handle the claiming of rewards for liquidity mining. It calculates...

7.1AI Score

2023-10-06 12:00 AM
1
code423n4
code423n4

The Liquidity mining callpath sidecar owner can pull native tokens from the Dex

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74 Vulnerability details Impact The owner of liquidity mining sidecar can pull the native coins that are stored in the CrocSwapDex to...

6.7AI Score

2023-10-06 12:00 AM
3
code423n4
code423n4

Race condition on timeWeightedWeeklyGlobalConcLiquidityLastSet_ can lead to incorrect rewards.

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L62...

7AI Score

2023-10-06 12:00 AM
4
code423n4
code423n4

Event not emitted after sensitive action of setting new concentrated and ambient rewards.

Lines of code Vulnerability details Impact The 'setConcRewards' and 'setAmbRewards' doesn't emit event to to signify to all parties involved the new concentrated and ambient results. Proof of Concept A user not aware of new reward price might suppose he/she have been swindled upon realizing that...

7.2AI Score

2023-10-06 12:00 AM
3
code423n4
code423n4

Access control check in the setAmbRewards and setAmbRewards functions is missing

Lines of code Vulnerability details Impact Any user can call the setAmbRewards and setAmbRewards functions and set their values for weeklyReward, which opens up many attack vectors. For example, it is possible to set a large reward and withdraw all funds from the protocol. Proof of Concept...

7AI Score

2023-10-06 12:00 AM
1
code423n4
code423n4

Lack of proper access restrictions on functions setConcRewards() and setAmbRewards()

Lines of code Vulnerability details Impact Contract Reward distribution can be drained / manipulated Proof of Concept For setConcRewards() and setAmbRewards(), they are both lack of proper access restrictions, leads to the situation that anyone can execute these functions. This oversight presents.....

7.3AI Score

2023-10-06 12:00 AM
1
code423n4
code423n4

No access control on protocolCmd and userCmd; potential for abuse.

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L41-L52 Vulnerability details Impact There is no access control on the protocolCmd and userCmd functions in LiquidityMiningPath. This...

7.4AI Score

2023-10-06 12:00 AM
code423n4
code423n4

Protect against griefing by allowing only owner to manipulate global liquidity.

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L156-L168 Vulnerability details Impact There don't seem to be protections against a malicious actor griefing others by manipulating the global.....

6.8AI Score

2023-10-06 12:00 AM
2
code423n4
code423n4

Lack of validation allows invalid ticks, impacting data integrity.

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L29-L31...

7AI Score

2023-10-06 12:00 AM
1
code423n4
code423n4

Unvalidated ticks in claimConcentratedRewards allow unauthorized users to claim undeserved rewards. Validate ticks.

Lines of code Vulnerability details Impact There is no check that the ticks passed into claimConcentratedRewards actually match the position's ticks. A user could pass in arbitrary ticks to try to claim rewards for liquidity they don't own. Proof of Concept The claimConcentratedRewards function...

6.8AI Score

2023-10-06 12:00 AM
2
code423n4
code423n4

Reentrancy is possible in claim functions, which call out via .call().

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L256-L289...

6.8AI Score

2023-10-06 12:00 AM
1
code423n4
code423n4

LiquidityMining.sol cannot be funded for rewards distribution.

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L285-L289 Vulnerability details During a rewards claim LiquidityMining.sol uses a low-level call with the msg.value as the rewardsToSend to the....

7AI Score

2023-10-06 12:00 AM
1
code423n4
code423n4

Limit accrueConcentratedPositionTimeWeightedLiquidity calls to prevent reward manipulation.

Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L69-L154...

6.8AI Score

2023-10-06 12:00 AM
1
code423n4
code423n4

Front-Running Vulnerability: Exploiting Reward Updates for Maximized Payouts

Lines of code https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/mixins/LiquidityMining.sol#L156-L196 https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/mixins/LiquidityMining.sol#L256-L289 Vulnerability details Impact Malicious users claim...

6.9AI Score

2023-10-06 12:00 AM
code423n4
code423n4

Slippage attack on claiming rewards

Lines of code Vulnerability details Impact Exploiter can abuse slippage to claim more weekly reward. The amount of slippage damage is unclear due to lack of deployment context and testing. Worst case scenario is the exploiter own 100% deposit of single pool allowing extreme slippage to steal...

6.8AI Score

2023-10-06 12:00 AM
5
code423n4
code423n4

No poolIdx validation; arbitrary values can corrupt storage, require validation.

Lines of code Vulnerability details Impact No validation on poolIdx input for key functions like claimConcentratedRewards. Could pass invalid poolId and corrupt storage. The claimConcentratedRewards function is defined on LiquidityMining.sol. It takes in a poolIdx as one of the parameters function....

7.2AI Score

2023-10-06 12:00 AM
1
code423n4
code423n4

Timestamp Manipulation

Lines of code Vulnerability details Impact there is a problem in that contract especiall when updating tickTrackingIndex within the loop an attacker can manipulate the values of enterTimestamp and exitTimestamp to force tickActiveEnd to be significantly larger than tickActiveStart inflate the...

6.8AI Score

2023-10-06 12:00 AM
4
githubexploit
githubexploit

Exploit for Out-of-bounds Write in Google Chrome

中文 | EN CVE-2023-4863 libwebp dependency...

9AI Score

2023-10-05 03:28 AM
426
malwarebytes
malwarebytes

Exim finally fixes 3 out of 6 vulnerabilities

Exim is a message transfer agent (MTA) originally developed at the University of Cambridge for use on Unix systems connected to the internet, and is freely available under the terms of the GNU General Public Licence. Even though the name may be new to you, a Shodan search revealed 3.5 million...

7.4AI Score

EPSS

2023-10-05 01:00 AM
19
thn
thn

Researchers Link DragonEgg Android Spyware to LightSpy iOS Surveillanceware

New findings have identified connections between an Android spyware called DragonEgg and another sophisticated modular iOS surveillanceware tool named LightSpy. DragonEgg, alongside WyrmSpy (aka AndroidControl), was first disclosed by Lookout in July 2023 as a strain of malware capable of...

6.7AI Score

2023-10-04 03:09 PM
32
code423n4
code423n4

User Score Not Updated During Interest Claim, Leading to Incorrect Interest Calculations

Lines of code https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L597-L601 https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L672-L697 Vulnerability details Impact This oversight in the contract logic may lead to incorrect...

7.1AI Score

2023-10-04 12:00 AM
5
code423n4
code423n4

Incorrect Score calculation in Prime.sol

Lines of code https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L872-L897 https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/libs/Scores.sol#L1-L70 Vulnerability details Impact Score is not calculated correctly; improperly high weight.....

7AI Score

2023-10-04 12:00 AM
code423n4
code423n4

Update score system can be bricked

Lines of code Vulnerability details Impact The updateScores function is used to manually update users scores, devlopers have shared their reasoning of this in the documentation. Any change in the alpha and the multipliers will unbalace the reward system because the change cannot be propagated to...

6.9AI Score

2023-10-04 12:00 AM
1
code423n4
code423n4

function 'accrueInterest(address vToken)' allows too many rewards to be allocated

Lines of code Vulnerability details Impact Malicious users can increase the number of rewards they receive within a block. Proof of Concept In the Prime contract, markets[vToken].rewardIndex is used to determine how many rewards are allocated to Prime token holders, and its value can only be...

6.9AI Score

2023-10-04 12:00 AM
2
code423n4
code423n4

Irrevocable token holders can instantly mint a revocable token after burning and bypass the minimum XVS stake for revocable tokens

Lines of code https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L331-L359 https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L365-L382...

6.9AI Score

2023-10-04 12:00 AM
2
code423n4
code423n4

A malicious user can avoid unfavorable score updates after alpha/multiplier changes, resulting in accrual of outsized rewards for the attacker at the expense of other users

Lines of code https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L704-L756 https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L623-L639...

7AI Score

2023-10-04 12:00 AM
3
wordfence
wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (September 18, 2023 to September 24, 2023)

Last week, there were 42 vulnerabilities disclosed in 37 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 10 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...

7.2CVSS

6.9AI Score

0.001EPSS

2023-09-28 01:18 PM
31
githubexploit
githubexploit

Exploit for Improper Authentication in Fit2Cloud Jumpserver

红队攻防之JumpServer未授权访问漏洞(CVE-202......

8.2CVSS

7.1AI Score

0.802EPSS

2023-09-27 05:09 AM
316
code423n4
code423n4

M-05 MitigationConfirmed

Lines of code Vulnerability details In the previous implementation when stakingContract.totalAllocPoint = 0 stakingContract.withdraw() and stakingContract.deposit() will div 0 , revert This results in StargateRewardableWrapper no longer being able to execute StargateRewardableWrapper.withdraw()...

7.2AI Score

2023-09-27 12:00 AM
5
code423n4
code423n4

AfEth collaterals cannot be balanced after ratio is changed

Lines of code Vulnerability details Summary The AfEth ratio between the collaterals can be modified but there is no direct way to balance the assets to follow the new ratio. Impact The AfEth contract contains a configurable parameter ratio that indicates the intended balance between the two...

7AI Score

2023-09-27 12:00 AM
2
code423n4
code423n4

Missing slippage control while depositing rewards in SafEth and VotiumStrategy

Lines of code Vulnerability details Summary Deposits to SafEth and VotiumStrategy coming from rewards lack slippage control, making them susceptible to sandwich attacks by MEV bots, which can result in a loss of funds for the protocol. Impact Rewards coming from the VotiumStrategy contract are...

6.9AI Score

2023-09-27 12:00 AM
2
Total number of security vulnerabilities8390