微信打赏（Wechat Reward) Security Vulnerabilities

U.S. Offers $10 Million Bounty for Capture of Notorious Russian Ransomware Operator

A Russian national has been charged and indicted by the U.S. Department of Justice (DoJ) for launching ransomware attacks against "thousands of victims" in the country and across the world. Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in....

Russian Hacker “Wazawaka” Indicted for Ransomware

A Russian man identified by KrebsOnSecurity in January 2022 as a prolific and vocal member of several top ransomware groups was the subject of two indictments unsealed by the Justice Department today. U.S. prosecutors say Mikhail Pavolovich Matveev, a.k.a. "Wazawaka" and "Boriselcin" worked with...

Exploit for Deserialization of Untrusted Data in Apache Kafka

Flink-Kafka-Vul Apache Flink远程代码执行漏洞。 Apache Flink Web...

AMO2 doesn't add the lp balance of the CVXStaker to the withdrawable token amount

Lines of code https://github.com/code-423n4/2023-05-xeth/blob/main/src/AMO2.sol#L599-L606 https://github.com/code-423n4/2023-05-xeth/blob/main/src/AMO2.sol#L631-L638 https://github.com/code-423n4/2023-05-xeth/blob/main/src/CVXStaker.sol#L204-L206 Vulnerability details Impact The lp tokens held by.....

Inconsistent check for LP balance in AMO

Lines of code https://github.com/code-423n4/2023-05-xeth/blob/main/src/AMO2.sol#L600-L604 https://github.com/code-423n4/2023-05-xeth/blob/main/src/AMO2.sol#L632-L636 Vulnerability details Inconsistent check for LP balance in AMO While pulling LP tokens from the CVXStaker contract, the AMO queries.....

preBorrowHook and preRepayHook can call updateRewardTokenBorrowIndex with old borrowIndex

Lines of code Vulnerability details Impact Under normal circumstances, the user calls VToken.borrow, further calls accrueInterest to update borrowIndex, and then calls preBorrowHook to trigger updateRewardTokenBorrowIndex. But since preBorrowHook is an externl function, an attacker can directly...

Unfair handling of rewards for users with a high amount of rewards

Lines of code Vulnerability details Users can claim their rewards in RewardDistributor.claimRewardToken(). The reward handling part is done in _grantRewardToken(): 416: function _grantRewardToken(address user, uint256 amount) internal returns (uint256) { 417: uint256 rewardTokenRemaining =...

Lack of method to delete a rewardsDistributor in Comptroller.sol can break rewards distribution permanently

Lines of code Vulnerability details Proof of Concept The storage array rewardsDistributors will be used to distribute the rewards across the hooks in Comptroller.sol, namely preMintHook(), preRedeemHook(), preBorrowHook(), preRepayHook(), preSeizeHook() and preTransferHook()...

Holders only get the rewards they Accrued for supplying when they claim rewards in the RewardsDistributor.sol .

Lines of code Vulnerability details Holders only get the rewards they Accrued for supplying when they claim rewards in the RewardsDistributor.sol . Summary The holder only gets rewards for supplying instead of getting the rewards for both borrowing and supplying in martkets because in the...

Zero token transfer can cause a potential DoS in CVXStaker

Lines of code Vulnerability details Zero token transfer can cause a potential DoS in CVXStaker The CVXStaker contract doesn't check for zero amount while transferring rewards, which can end up blocking the operation. Impact The CVXStaker contract is in charge of handling interaction with the...

CVXStaker.sol Unable to process newly add rewardTokens

Lines of code Vulnerability details Impact The lack of a mechanism to modify rewardTokens[] If convex adds new extraRewards CVXStaker.sol cannot transfer the added token Proof of Concept CVXStaker.sol will pass in rewardTokens[] in constructor and in getReward(), loop this array to transfer...

Comptroller.sol#healAccount did not call updateRewardTokenBorrowIndex to update the reward

Lines of code Vulnerability details Impact healAccount should call updateRewardTokenBorrowIndex to calculate the reward before affecting the debt value. Proof of Concept Tools Used manual Recommended Mitigation Steps call updateRewardTokenBorrowIndex before heal account. Assessed type Other The...

Missing transaction expiration check result in asset tokens selling at a lower price

Lines of code Vulnerability details Impact Selling of asset tokens misses the transaction expiration check, which may lead to reward tokens being sold at a price that's lower than the market price at the moment of a swap. Proof of Concept The _swapAsset() function, which is responsible for selling....

Lack of Access Control in claimRewards Function

Lines of code Vulnerability details Impact The calculateNewRewards function should also check whether the rewardsCapped variable is greater than the rewardsClaimedInEpoch_ variable to ensure that rewards are not claimed that exceed the reward cap, because an attacker could exploit this...

Delegation rewards are not counted toward granting fund

Lines of code https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/StandardFunding.sol#L216-L217 Vulnerability details Impact Each period reserves a reward for granting up to 3% (GBC: Global Budget Constraint). The GBC is split into...

Division by Zero Vulnerability in _calculateNewRewards function.

Lines of code Vulnerability details Impact The _calculateNewRewards function in the smart contract performs a division operation with totalInterestEarnedInPeriod, which could be zero, but there is a problem that can result in a division-by-zero error, causing the smart contract to behave...

Treasury accounting miss voters rewards

Lines of code Vulnerability details treasury is overstated over time as each distribution period it adds back the delegate rewards part, which is actually spent on voters rewards. I.e. it is updated with fundsAvailable - totalTokensRequested difference, while totalTokensRequested is limited to 90%....

Incorrect calculation of the remaining updatedRewards leads to possible underflow error

Lines of code https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L725 Vulnerability details Impact RewardsManage.sol keeps track of the total number of rewards collected per epoch for all pools: File:...

stake() function: The provided stake function lacks checks to prevent a lender from staking multiple NFTs in the same Ajna pool. The function allows any owned position NFT to be staked without considering whether the lender has already staked in the pool. This potentially opens up the system to an abuse where a lender stakes multiple NFTs for the same liquidity position.

Lines of code Vulnerability details Impact The current stake function lacks checks to prevent a lender from staking multiple NFTs in the same Ajna pool. This could lead to an abuse of the system where a lender stakes multiple NFTs for the same liquidity position, potentially earning more rewards...

unstake() function: The unstake function permits the unstaking of multiple position NFTs from the same liquidity pool (LP) by the same lender. This opens the possibility for a lender to claim more Ajna token rewards than they are entitled to by staking and unstaking multiple NFTs associated with the same LP.

Lines of code https://github.com/code-423n4/2023-05-ajna/blob/d80daab705a066828ef1c5d9ba85f315c7c932db/ajna-core/src/RewardsManager.sol#L207-L260 https://github.com/code-423n4/2023-05-ajna/blob/d80daab705a066828ef1c5d9ba85f315c7c932db/ajna-core/src/PositionManager.sol#L227-L241 Vulnerability...

Logic error in _transferAjnaRewards function

Lines of code Vulnerability details Context: ajna-core/src/RewardsManager.sol: 836 */ 837: function transferAjnaRewards(uint256 rewardsEarned ) internal { 838: // check that rewards earned isn't greater than remaining balance 839: // if remaining balance is...

_updateBucketExchangeRates could possibly revert

Lines of code https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L693-L731 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L697 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L653-L655...

mint() function: Rogue lenders/attackers could mint multiple/endless position NFTs for their SAME Ajna pool deposits/LPs, when they're supposed to be able to mint only one position NFT per lender per LP per pool.

Lines of code Vulnerability details Impact The current implementation of the mint function allows a lender to mint multiple position NFTs for the same Ajna pool deposit. This could lead to an inflation of NFTs and potentially disrupt the system's reward distribution, as the lender could stake...

CVE-2023-2618

A vulnerability, which was classified as problematic, has been found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this issue is the function DecodedBitStreamParser::decodeHanziSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to memory leak. The...

CVE-2023-2617

A vulnerability classified as problematic was found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this vulnerability is the function DecodedBitStreamParser::decodeByteSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to null pointer dereference. The....

U.S. Authorities Seize 13 Domains Offering Criminal DDoS-for-Hire Services

U.S. authorities have announced the seizure of 13 internet domains that offered DDoS-for-hire services to other criminal actors. The takedown is part of an ongoing international initiative dubbed Operation PowerOFF that's aimed at dismantling criminal DDoS-for-hire infrastructures worldwide. The...

CVE-2020-18280

Cross Site Scripting vulnerability found in Phodal CMD v.1.0 allows a local attacker to execute arbitrary code via the EMBED SRC...

Mitigation of M-11: Issue NOT mitigated

Mitigated issue M-11: Residual ETH unreachable and unuitilized in SafEth.sol The issue was that the rounding losses from partitioning msg.value in stake() and rebalanceToWeights() was left irretrievably in the contract. Mitigation review Previously rebalanceToWeights() withdrew all staked funds...

Exploit for Improper Ownership Management in Linux Linux Kernel

README `` gcc -Wall exp.cpkg-config fuse --cflags...

$10M Is Yours If You Can Get This Guy to Leave Russia

The U.S. government this week put a $10 million bounty on a Russian man who for the past 18 years operated Try2Check, one of the cybercrime underground's most trusted services for checking the validity of stolen credit card data. U.S. authorities say 43-year-old Denis Kulkov's card-checking...

VMware Releases Critical Patches for Workstation and Fusion Software

VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution. The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based...

Starting a Career in Tech? Learn How Rapid7’s Emerging Talent Programmes Foster Long-Term Success

Rapid7’s Emerging Talent Programmes pave the way for early career professionals to have a successful career in tech. In Belfast, we offer both an Apprentice Programme and a Placement Programme to support new talent coming into the tech field. The Apprentice Programme is designed for individuals...

CVE-2022-45837

Reflected Cross-Site Scripting (XSS) vulnerability in Denis 微信机器人高级版 plugin <= 6.0.1...

CVE-2022-45837

Reflected Cross-Site Scripting (XSS) vulnerability in Denis 微信机器人高级版 plugin <= 6.0.1...

CVE-2022-45837 WordPress 微信机器人高级版 Plugin <= 6.0.1 is vulnerable to Cross Site Scripting (XSS)

Reflected Cross-Site Scripting (XSS) vulnerability in Denis 微信机器人高级版 plugin &lt;= 6.0.1...

Exploit for SQL Injection in Jeecg Jeecg-Boot

CVE-2023-1454 jmreport/qurestSql 未授权SQL注入批量扫描poc...

Binary Vulnerability in Unisys Browser by Unisys Software Technology Co.

Unisys Software Technology Co., Ltd. is a company specializing in the development and service of operating systems. Unisys Software Technology Limited Unisys Browser suffers from a binary vulnerability that can be exploited by attackers to execute arbitrary...

The owner of position can mint zchf unlimitedly by becoming the challenger that successfully challenges their own position to receive unlimit reward.

Lines of code https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Position.sol#L329-L354 https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/MintingHub.sol#L252-L276 Vulnerability details...

Attacker can extract unlimited ZCHF by setting a high price for a position and challenging it

Lines of code Vulnerability details An attacker can act as both minter and challenger, and profit by setting an arbitrarily high price for a position (way higher than what the collateral really is worth), and then immediately challenging the position. After the challenge succeeds, the attacker...

Result of transferFrom and transfer are not checked.

Lines of code Vulnerability details [M-01] result of transferFrom and transfer are not checked. It may lead to assets lost if the transfer is somehow failed. below are some examples: contracts/Position.sol 138: collateral.transferFrom(msg.sender, address(this), newCollateral - colbal); 228:...

Challenger incentives can be inflated with external transfers

Lines of code Vulnerability details Impact The function notifyChallengeSucceeded calculates the volume of ZCHF to be repaid, which is then used to calculate the reward for the challenger. The challenger can however artificially inflate this value. A challenger can start a challenge on an...

Challenging invalid positions can allow an attacker to reward himself with infinite tokens

Lines of code https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/MintingHub.sol#L140 Vulnerability details Impact An attacker can mint himself as many Frankencoins as he wants in a single transaction by challenging an invalid position. Proof of Concept Steps overview: Since...

end() reverts if bidder blacklisted by collateral token, grieving challenger

Lines of code https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Position.sol#L269 Vulnerability details A successful challenge can be ended via MintingHub.end(). This transfers challenge.size collateral back to the challenger, before repaying....

Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS)

...

Exploit for SQL Injection in Jeecg Jeecg-Boot

CVE-2023-1454 CVE-2023-1454漏洞检测脚本...

Exploit for SQL Injection in Jeecg Jeecg-Boot

CVE-2023-1454 CVE-2023-1454漏洞检测脚本...

Google Pay accidentally handed out free money, bug now fixed

Days ago, several Google Pay users in the US received some unexpected cashback from Google, congratulating them "for dogfooding the Google Pay Remittance experience". Confused (and a tad happy), some looked to Twitter for answers, while others aired their experiences on the /r/googlepay/ Reddit...

Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Denial Of Service

...

Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Denial Of Service Exploit

Google Chrome Browser version 111.0.5563.64 suffers from an AXPlatformNodeCocoa fatal out-of-memory denial of service vulnerability on...

Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM/Crash (macOS)

Title: Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM/Crash (macOS) Advisory ID: ZSL-2023-5770 Type: Local Impact: DoS Risk: (3/5) Release Date: 11.04.2023 Summary Google Chrome browser is a free web browser used for accessing the internet and running web-based applications....