微信打赏（Wechat Reward) Security Vulnerabilities

Reward sandwiching in VotiumStrategy

Lines of code Vulnerability details Summary The reward system in VotiumStrategy can be potentially gamed by users to enter just before rewards are deposited and request an exit after that. Depending on the withdrawal queue, users may exit as early as the next epoch and avoid waiting the normal 16.....

Lack of access control and value validation in the reward flow exposes functions to public access

Lines of code https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/AfEth.sol#L272 Vulnerability details Summary Some functions that are part of the Votium reward flow are left unprotected and can be accessed by anyone to spend resources held by the contract. Impact Rewards coming...

TikTok flooded with fake celebrity nude photo Temu referrals

Sites and apps frequently gamify their products and experiences to grow their user base. It's a relatively easy way to have their customers become more involved thanks to whatever incentives may be on offer. A game here, a rewards program there, and everyone is happy. Well, almost everyone. If...

What’s the point of press releases from threat actors?

Welcome to this week's edition of the Threat Source newsletter. As a former reporter, I've seen my fair share of press releases. But one from a threat actor was definitely a new one for me last week. ALPHV (aka BlackCat) publicly took credit for a massive cyber attack against MGM, a resort,...

China Accuses U.S. of Decade-Long Cyber Espionage Campaign Against Huawei Servers

China's Ministry of State Security (MSS) has accused the U.S. of breaking into Huawei's servers, stealing critical data, and implanting backdoors since 2009, amid mounting geopolitical tensions between the two countries. In a message posted on WeChat, the government authority said U.S....

Exploit for CVE-2022-32947

CVE-2022-32947 presentation and demo...

Weaver OA 9.5 - Information Disclosure

A vulnerability was found in Weaver OA 9.5 and classified as problematic. This issue affects some unknown processing of the file /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini. The manipulation leads to files or directories accessible. The attack may be initiated...

Anhui Green Persimmon Information Technology Co., Ltd LiveGBS has information leakage vulnerability

LiveGBS is a national standard (GB28181) streaming media service software , can provide to provide user management and Web visualization page management , open source front-end page source code ; to provide device status management , you can real-time view of whether the device is offline and...

Anhui Green Persimmon Information Technology Co., Ltd. LiveQing has a logic flaw vulnerability

LiveQing Aoki video streaming service solution. Anhui Green Persimmon Information Technology Co., Ltd LiveQing has a logic flaw vulnerability that can be exploited by attackers to delete arbitrary...

Exploit for Classic Buffer Overflow in Notepad-Plus-Plus Notepad++

CVE-2023-40031 notepad++堆缓冲区溢出漏洞CVE-2023-40031 分析与复现 漏洞概述...

Logic flaw vulnerability in LiveGBS of Anhui Green Persimmon Information Technology Co., Ltd (CNVD-2023-72138)

LiveGBS is a national standard (GB28181) streaming media service software , can provide to provide user management and Web visualization page management , open source front-end page source code ; to provide device status management , you can real-time view of whether the device is offline and...

.The _newPosPrev/_newPosNext hints do not fully prevent invalid ordering when decreasing a delegate's stake.

Lines of code https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1367 Vulnerability details Impact The contract could incorrectly deactivate or reward transcoders based on the invalid pool order. Proof of Concept When.....

Underflow in updateTranscoderWithFees can cause corrupted data and loss of winning tickets.

Lines of code Vulnerability details Summary updateTranscoderWtihFees can underflow because MathUtils is used instead of PreciseMathUtils. Proof of Concept According to LIP-92 the initial treasuryRewardCutRate will be set to 10%. treasuryRewardCutRate is set with the...

using increaseTotalStakeUncheckpointed() instead of increaseTotalStake() can lead to inconsistent transcoder state

Lines of code https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1459 Vulnerability details Impact This allows a transcoder to increase their voting power without actually increasing their stake. Proof of Concept The...

BondManager.updateTranscoderWithFees wrong decimal multiplication. Function always revert due to underflow

Lines of code Vulnerability details BondingManager.sol have 2 mathUtils libraries, MathUtils use 1e6 as precision while PreciseMathUtils use 1e27 as precision. Some variable use MathUtils while other use PreciseMathUtils which might cause confusion. It happen with treasuryRewardCutRate variable...

lastFeeRound is only updated after adding fees and updating the cumulative fee factor. So when first calling updateTranscoderWithFees() in a new round, lastFeeRound will still be set to the previous round.

Lines of code https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1215-L1217 https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1276...

Incorrect usage of an uninitialized earnings pool if lastRewardRound >= currentRound.

Lines of code https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L327 https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1519-L1520...

Flashloan/Sandwich Attacks on UpdateFunding()

Lines of code Vulnerability details Impact The attacker can launch a sandwich/flashloan attack on the updateFunding() function to gain most of the reward. Proof of Concept The attacker observed that some reward is going to be distributed via updateFunding() function. The attacker borrowed...

on hitting ceiling, the Bonds Manager re configures to stop collecting treasure cut, but does not have inverse logic

Lines of code Vulnerability details Impact The bonds manager configures itself to stop collecting treasury reward cut, if the balance in treasury is above the configured ceiling. But, the resetting of is managed by the admin account manually. The execution of proposals is based on funds in...

Initialization Issue in EarningsPoolL

Lines of code https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/libraries/EarningsPoolLIP36.sol#L59 Vulnerability details Impact the vulnerable part in code : uint256 prevCumulativeRewardFactor = _prevEarningsPool.cumulativeRewardFactor.....

LastRewardRound is sometimes not checkpointed for Delegators

Lines of code Vulnerability details Impact lastRewardRound is not updated/checkpointed for delegators when transcoder changes state. This results in incorrect rewards and votes. It also violates this checkpointing condition specified by the technical specification: Quote: _"In practical terms,...

An attacker can manipulate the total active stake before calling reward() to get more rewards

Lines of code Vulnerability details Impact Attackers could drain rewards meant for other transcoders. Proof of Concept The key vulnerable code is in the reward()...

When user unbonds before transcoder calls reward, then cumulativeRewardFactor for the round is less than it should be

Lines of code https://github.com/code-423n4/2023-08-livepeer/blob/main/contracts/bonding/libraries/EarningsPoolLIP36.sol#L47-L59 Vulnerability details Impact When user unbonds before transcoder calls reward, then cumulativeRewardFactor for the round is less than it should be. As result other...

Calculating the previous pool's 'cumulativeRewardFactor' from the current pool incorrectly calculates the reward.

Lines of code Vulnerability details Impact When we updated a transcoder with rewards and then try to update a transcoder with fees, it incorrectly calculates the reward generated in the current round for that transcoder, which also incorrectly calculates the previous pool's cumulativeRewardFactor,....

Slashing transcoders on violation should not effect the delegators who staked into such transcoders, delegators should continue to earn rewards

Lines of code Vulnerability details Impact Due to violation of norms, when a transcoder is slashed and force to resign, the delegators who provided stake into such transcoder should not be effected. They delegators should be able to continue earning the rewards as they delegated their tokens to...

Weaver E-Office 9.5 - Remote Code Execution

A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit...

Exploit for Path Traversal in Stagil Stagil Navigation

Jira plugin STAGIL Navigation FileName参数的任意文件读取漏洞POC脚本...

Risk Fact #4: Malware in your Cloud means Exploitation is underway

Qualys Blog Series – 2023 TotalCloud Security Insights by the Threat Research Unit The 2023 TotalCloud Security Insights report from the Qualys Threat Research Unit (TRU) provides research insights, best practices, and detailed recommendations organized by five separate Risk Facts. The insights...

Cyberattacks Targeting E-commerce Applications

Cyber attacks on e-commerce applications are a common trend in 2023 as e-commerce businesses become more omnichannel, they build and deploy increasingly more API interfaces, with threat actors constantly exploring more ways to exploit vulnerabilities. This is why regular testing and ongoing...

Exploit for Path Traversal in Stagil Stagil Navigation

CVE-2023-26256_POC ```...

Exploit for Path Traversal in Stagil Stagil Navigation

CVE-2023-26256_POC ```...

Command execution vulnerability in Qixingchen Tianyue Network Security Audit System (CNVD-2023-71706)

Providence Peak Network Security Audit System is a compliance management system for fine-grained auditing of users' operations on core IT assets and servers in the network under business environment. A command execution vulnerability exists in Tianyue Network Security Audit System, which can be...

Command Execution Vulnerability in Qixingchen Tianyue Network Security Audit System

Providence Peak Network Security Audit System is a compliance management system for fine-grained auditing of users' operations on core IT assets and servers in the network under business environment. A command execution vulnerability exists in Tianyue Network Security Audit System, which can be...

CVE-2023-3667

The Bit Assist WordPress plugin before 1.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

Wordfence Intelligence Weekly WordPress Vulnerability Report (August 7, 2023 to August 13, 2023)

Last week, there were 86 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....

Command Execution Vulnerability in Sky Mirror Web Application Inspection System of Qixing Information Technology Group Co.

Qixing Information Technology Group Corporation is an enterprise mainly engaged in technology promotion and application service industry. A command execution vulnerability exists in the Sky Mirror Web Application Inspection System of Qixing Information Technology Group Co. that can be exploited by....

1Panel arbitrary file write vulnerability

Summary An arbitrary file write vulnerability could lead to direct control of the server Details Arbitrary file creation In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering...

1Panel arbitrary file write vulnerability

Summary An arbitrary file write vulnerability could lead to direct control of the server Details Arbitrary file creation In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering...

1Panel O&M management panel has a background arbitrary file reading vulnerability

Summary Arbitrary file reads allow an attacker to read arbitrary important configuration files on the server. Details In the api/v1/file.go file, there is a function called LoadFromFile, which directly reads the file by obtaining the requested path parameter[path]. The request parameters are not...

1Panel O&M management panel has a background arbitrary file reading vulnerability

Summary Arbitrary file reads allow an attacker to read arbitrary important configuration files on the server. Details In the api/v1/file.go file, there is a function called LoadFromFile, which directly reads the file by obtaining the requested path parameter[path]. The request parameters are not...

Misaligned Epoch Calculation for Reward Claims

Lines of code Vulnerability details Impact When users attempt to claim rewards, the contract calculates the claimEnd and subsequently updates the userClaimedEpoch using claimEnd + WEEK. This might result in misaligned epochs in scenarios where _claimUpToTimestamp is less than or more than a week......

check for the reentrancy attack is missed in the claim function

Lines of code https://github.com/code-423n4/2023-08-verwa/blob/498a3004d577c8c5d0c71bff99ea3a7907b5ec23/src/LendingLedger.sol#L179 Vulnerability details Impact the function claim in the LendingLedger.sol will send native token $CANTO to the msg.sender by .call which it can be EOA or Contracts,...

Failed transfer with low level call could be overlooked

Lines of code https://github.com/code-423n4/2023-08-verwa/blob/498a3004d577c8c5d0c71bff99ea3a7907b5ec23/src/LendingLedger.sol#L179 Vulnerability details Impact In LendingLedger.sol and votingEscrow.sol, low level call made using the call, According to the Solidity docs, "The low-level functions...

the claim function may underFlow when it calculate the claimEnd

Lines of code Vulnerability details Impact in the claim function there is possibility of the underflow which lead the transaction to revert, the function may underflow in this line uint256 claimEnd = Math.min(currEpoch - WEEK, _claimUpToTimestamp) because the currEpoch will return the current...

No need to stack lend pool to take lendlaunger rewards

Lines of code Vulnerability details Impact Lending lenger give reward tokens to users if they lend their tokens to selected pools. Lendingledger give rewards as weekly and it records user's balance until end of the week(espacially thursday because 1 jan 1970 was thursday). But protocol records can....

User can claim most of the rewards for a lending market by depositing cNote for just 2 blocks / epoch

Lines of code Vulnerability details Impact For a user to receive rewards for supplying cNote in a lending market (LM), he only needs to have supplied the cNote at the end of an epoch. Users staking for the whole duration of an epoch get 0 benefits, compared to users who supply only at the end of...

User don't have to deposit for a week into the market to get his weekly reward from the LendingLedger

Lines of code Vulnerability details Impact In the LendingLedger contract, a user is rewarded with CANTO tokens depending on how long he has his deposit in the market. Rewards are distributed for each week during which the deposit was inside the market. However, the user can cheat this condition...

Double voting in GaugeController

Lines of code https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L397-L403 Vulnerability details Impact Voting with the same collateral multiple times by delegating and undelegating, a process that could manipulatively influence(increase)....

Claim reward can be inaccessible if msg.sender is a smart contract with no fallback/receive function

Lines of code Vulnerability details Impact When calling claim() on LendingLedger, the claim reward can be inaccessible if msg.sender is a smart contract with no fallback/receive function. Indeed, msg.sender.call{value: cantoToSend}("") would fail and the claim would revert, not allowing the user...

Risk of silent overflow in rngComplete rewards cast

Lines of code Vulnerability details Impact The rngComplete function uses the rewards function from the RewardLib library to calculates the rewards that should be given, the _rewards returned by the rewards function are of type uint256 but before proceeding to the reward transfer (the call to...