MISP Cross-Site Scripting Vulnerability (CNVD-2022-64091)

MISP is an open source software solution. The product is used to collect, store, distribute, and share network security metrics and has features such as threat network security event analysis and malware analysis. cross-site scripting vulnerability exists in versions prior to MISP 2.4.158, which...

Xiaomi Mi Browser 数据伪造问题漏洞

Xiaomi Mi browser is a lightweight web browser from Xiaomi Technology China, Inc. A security vulnerability exists prior to Xiaomi Mi Browser 15.8, which is caused by Xiaomi Mi browser not validating the validity of incoming data. An attacker could exploit this vulnerability to perform sensitive...

Xiaomi Mi App Store 输入验证错误漏洞

A security vulnerability exists in Xiaomi Mi App Store, an app store of Xiaomi, a Chinese company. The vulnerability is due to the Xiaomi App Store not verifying the validity of incoming data, which could be exploited by an attacker to cause the app store to automatically download and install app...

chatwoot 跨站脚本漏洞

chatwoot is an application. Customer engagement suite, an open source alternative to intercom, Zendesk, Salesforce Service Cloud, etc. chatwoot suffers from a cross-site scripting vulnerability that stems from the program's lack of data validation filtering of user-supplied data and output. An...

Insufficient oracle data feed validation

Lines of code Vulnerability details Impact Stale prices can lead to the incorrect valuation of assets Proof of Concept The code does not check the other data returned from latestRoundData which must be used to ensure that the data is not stale and that the price is valid File:...

Missing Validations for the return values of Chainlink Price feeds

Lines of code Vulnerability details Impact You check only the answerThe price after calling the chainlink Chainlink Price feeds in the following lines. In addition, you need to check whether the data is really updated. Proof of Concept Tools Used code review Recommended Mitigation Steps Please ad...

ORACLE Data is not properly validated in ChainlinkPriceOracle.sol

Lines of code Vulnerability details Impact Price can be stale which can lead to wrong assetPerBaseInUQ return value Proof of Concept Oracle data feed is insufficiently validated. There is no check for stale price and round completeness. Tools Used Manual review, similar issue was found in yield...

Improper access control

An issue was discovered on Olivetti d-COLOR MF3555 2XDS000.002.271 devices. The Web Application is affected by Broken Access Control. It does not properly validate requests for access to data and functionality under the /mngset/authset path. By not verifying permissions for access to resources, i...

MISP 跨站脚本漏洞

MISP is an open source software solution. The product is used to collect, store, distribute, and share network security metrics and has features such as threat network security event analysis and malware analysis. cross-site scripting vulnerability exists in versions prior to MISP 2.4.158, which...

Should check return data from chainlink aggregators

Lines of code Vulnerability details Impact The refreshedAssetPerBaseInUQ function in the contract ChainlinkPriceOracle.sol fetches the asset price from a Chainlink aggregator using the latestRoundData function. However, there are no checks on roundID nor timeStamp, resulting in stale prices. The...

Improper Validation Of Chainlink's latestRoundData Function

Lines of code Vulnerability details Impact When using Chainlink Price feeds, it is important to ensure the price feed data was updated recently. While getting started with chainlink requires just one line of code, it is best to add additional checks for "in production" environments. Here,...

latestRoundData might return stale

Lines of code Vulnerability details Impact The conctract uses latestRoundData but there is no check if the returned value is stale data or not Proof of Concept code-423n4/2021-12-perennial-findings24 code-423n4/2021-06-tracer-findings73 Tools Used Manual analysis Recommended Mitigation Steps...

CMSimple Cross-Site Scripting Vulnerability (CNVD-2022-71403)

CMSimple is a free content management system. version 5.4 of CMSimple contains a cross-site scripting vulnerability that stems from the program's lack of data validation filtering of user-supplied data and output. An attacker could exploit this vulnerability to execute JavaScript code on the clie...

Hotel-Mgmt-System Cross-Site Scripting Vulnerability

Hotel-Mgmt-System is a hotel management system. A cross-site scripting vulnerability exists in Hotel-Mgmt-System version 1.0, which stems from a lack of data validation filtering of user-supplied and output data in /admin.php. An attacker could exploit this vulnerability to execute JavaScript cod...

Citrix SD-WAN Cross-Site Scripting Vulnerability

Citrix SD-WAN is a networking product from Citrix, Inc. A cross-site scripting vulnerability exists in Citrix SD-WAN versions prior to 11.4.3a, which allows virtualization and optimization of enterprise site-to-site networks. The vulnerability stems from the program's lack of data validation...

REDCap Cross-Site Scripting Vulnerability (CNVD-2022-81345)

A cross-site scripting vulnerability exists in versions of REDCap prior to 11.4.0, which stems from a lack of data validation filtering of user-supplied data and output in the missing data code functionality of the program. An attacker could exploit this vulnerability to execute JavaScript code o...

Organizr Cross-Site Scripting Vulnerability (CNVD-2022-33830)

Organizr is a tab management system. Organizr 2.1.1810 prior versions of cross-site scripting vulnerability, the vulnerability stems from the Username and Email fields lack of data provided by the user and the output data validation filter, an attacker can use the vulnerability in the client to...

REDCap 跨站脚本漏洞

A cross-site scripting vulnerability exists in versions of REDCap prior to 11.4.0, which stems from a lack of data validation filtering of user-supplied data and output in the missing data code functionality of the program. An attacker could exploit this vulnerability to execute JavaScript code o...

Citrix SD-WAN 跨站脚本漏洞

Citrix SD-WAN is a networking product from Citrix, Inc. A cross-site scripting vulnerability exists in Citrix SD-WAN versions prior to 11.4.3a, which allows virtualization and optimization of enterprise site-to-site networks. The vulnerability stems from the program's lack of data validation...

Hotel-Mgmt-System 跨站脚本漏洞

Hotel-Mgmt-System is a hotel management system. A cross-site scripting vulnerability exists in Hotel-Mgmt-System version 1.0, which stems from a lack of data validation filtering of user-supplied and output data in /admin.php. An attacker could exploit this vulnerability to execute JavaScript cod...