L1SCMgmtActivationAction does not check executor role of new and prev emergency security council

Lines of code Vulnerability details Proof of Concept GovernanceChainSCMgmtActivationAction.sol checks that the newEmergencySecurityCouncil has a upgradeExecutor role whereas the prevEmergencySecurityCouncil does not have a upgradeExecutor role. GovernanceChainSCMgmtActivationAction.sol // confirm...

The upgrade executor is granted the canceller role instead of the new emergency security council.

Lines of code Vulnerability details Impact In L1SCMgmtActivationAction.sol, the perform function is not granting role to the new emergency security council. It instead grants it to the upgrade executor. This logic doesn't align with the function inline comment and can prevent the perform function...

the unfollow contract does random unfollow process of random follow token.

Lines of code Vulnerability details Impact in the FollowNft.sol we have to unfollow function this function is supposed to do unfollow process but as you see the followTokenId variable just returns one random follow id with profile id through mapping and there is no option to select which follow n...

CVE-2023-39023

university compass v2.2.0 and below was discovered to contain a code injection vulnerability in the component org.compass.core.executor.DefaultExecutorManager.configure. This vulnerability is exploited via passing an unchecked argument...

CVE-2023-39023

university compass v2.2.0 and below was discovered to contain a code injection vulnerability in the component org.compass.core.executor.DefaultExecutorManager.configure. This vulnerability is exploited via passing an unchecked argument...

CVE-2023-39023

university compass v2.2.0 and below was discovered to contain a code injection vulnerability in the component org.compass.core.executor.DefaultExecutorManager.configure. This vulnerability is exploited via passing an unchecked argument...

University Compass 代码注入漏洞

University Compass is a college counseling application from University Compass, Inc. A security vulnerability exists in University Compass v2.2.0 and earlier versions, which stems from the inclusion of a code injection vulnerability in the component...

CVE-2023-39023

university compass v2.2.0 and below was discovered to contain a code injection vulnerability in the component org.compass.core.executor.DefaultExecutorManager.configure. This vulnerability is exploited via passing an unchecked argument...

CVE-2023-39023

university compass v2.2.0 and below was discovered to contain a code injection vulnerability in the component org.compass.core.executor.DefaultExecutorManager.configure. This vulnerability is exploited via passing an unchecked argument...

Users do not get charged for the value their proposal will need

Lines of code Vulnerability details Impact Depending on whether the destination chain InterchainProposalExecutor's native token balance the transaction will either steal funds or will fail. Proof of Concept Users can provide an amount of native tokens they want to send to the call they will make ...

Hazelcast Executor Services don't check client permissions properly

Impact In Hazelcast Platform, 5.0 through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, and Hazelcast IMDG all versions up to 4.2.z, Executor Services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted...

GHSA-C5VJ-WP4V-MMVX Hazelcast Executor Services don't check client permissions properly

Impact In Hazelcast Platform, 5.0 through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, and Hazelcast IMDG all versions up to 4.2.z, Executor Services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted...

CVE-2023-33265

In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted...

CVE-2023-33265

In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted...

CVE-2023-33265

In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted...

Design/Logic Flaw

In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted...

CVE-2023-33265

In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted...

CVE-2023-33265

In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted...

CVE-2023-33265

Hazelcast vulnerability CVE-2023-33265 affects Hazelcast Platform/IMDG versions 5.0.4 or earlier, 5.1 up to 5.1.6, and 5.2 up to 5.2.3. The root cause is that executor services do not properly enforce client permissions, allowing authenticated users to execute tasks on cluster members without the...

User ETH will be stacked on Executor contract if the target script doesn't handle ETH.

Lines of code Vulnerability details Description When user wants to execute an action, he must send ETH equal to the actionInfo.value, this ETH should be forwarded to executor.execute contract. Note: the function currently does't forward the ETH, it's explained on another issue 48, the fix is to...