20 matches found
CVE-2026-12205
Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery. Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it. The first sign on a Key object picks a nonce, and every later sign on that same object...
CoinMate.io: HMAC signature verification omits endpoint and payload allowing request forgery on CoinMate API
A vulnerability was discovered in the HMAC signature verification process of the CoinMate API. The signature was calculated using only the nonce, client ID, and public key, omitting the HTTP endpoint and request payload. This allowed an attacker to hijack a valid signature intended for a read-onl...
CVE-2019-16753
An issue was discovered in Decentralized Anonymous Payment System DAPS through 2019-08-26. The content to be signed is composed of a representation of strings, rather than being composed of their binary representations. This is a weak signature scheme design that would allow the reuse of signatur...
EUVD-2013-2118
Malware in sbrugna...
EUVD-2019-7290
Malware in sbrugna...
GHSA-VJH7-7G9H-FJFH Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
Summary Private key can be extracted from ECDSA signature upon signing a malformed input e.g. a string or a number, which could e.g. come from JSON network input Note that elliptic by design accepts hex strings as one of the possible input types Details In this code:...
SUSE CVE-2020-10702
A flaw was found in QEMU in the implementation of the Pointer Authentication PAuth support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker...
Replayable signature in the mintReceipt function
Lines of code Vulnerability details Description In the mintReceipt function there is a check of the claimSignerAddress signature: if keccak256abi.encodePackedmsg.sender, questId != hash revert InvalidHash; if recoverSignerhash, signature != claimSignerAddress revert AddressNotSigned; The signatur...
KYC signature can be reused to regain KYC status
Lines of code Vulnerability details The function addKYCAddressViaSignature of the KYCRegistry contract allows a user to be granted a KYC status using a signature provided by Ondo. The function validates that the signer has the corresponding role for the requirement group and adds the user to the...
Reuse of signature to get KYCd after it has been removed
Lines of code Vulnerability details Impact There is no time limit on the validity off KYC digests and users with a removed KYC are not saved. If a issuer of such a digest is either compromised or if they by mistake issue a digest with a deadline far into the future a user could reuse the same...
CVE-2022-35961 ECDSA signature malleability in OpenZeppelin Contracts
OpenZeppelin Contracts is a library for secure smart contract development. The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issu...
updateProjectHash does not check project address
Lines of code Vulnerability details In Project.sol, function updateProjectHash L162, data which is signed by builder and/or contractor does not contain a reference to the project address. In all other external functions of Project.sol, data contains the address of the project, used in this check:...
PT-2021-16810 · Cosmos Network · Ethermint
Name of the Vulnerable Software and Affected Versions: Cosmos Network Ethermint versions = v0.4.0 Description: The issue is related to a cross-chain transaction replay vulnerability in the EVM module. This vulnerability is caused by the use of the same chainID and signature schemes with Ethereum...
UBUNTU-CVE-2020-10702
A flaw was found in QEMU in the implementation of the Pointer Authentication PAuth support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker...
Decentralized Anonymous Payment System Data Forgery Issue Vulnerability
Decentralized Anonymous Payment System DAPS is a decentralized anonymous payment system. A Data Forgery Issue vulnerability exists in DAPS 2019-08-26 and prior versions, which stems from the program's use of a weak signature mechanism that can be exploited by an attacker to reuse signatures...
CVE-2019-16753
An issue was discovered in Decentralized Anonymous Payment System DAPS through 2019-08-26. The content to be signed is composed of a representation of strings, rather than being composed of their binary representations. This is a weak signature scheme design that would allow the reuse of signatur...
DEBIAN-CVE-2018-18509
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with...
The vulnerability of the S/MIME signature verification mechanism in Thunderbird’s email processing software arises from incomplete verification of digital signatures. This allows attackers to re-sign emails with a valid digital signature.
The vulnerability of the S/MIME signature verification mechanism in Thunderbird’s email processing lies in the incomplete verification of digital signatures. Exploiting this vulnerability allows an attacker to re-sign emails with a valid digital signature...
UBUNTU-CVE-2018-18509
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with...
CVE-2013-2153
The XML digital signature functionality xsec/dsig/DSIGReference.cpp in Apache Santuario XML Security for C++ aka xml-security-c before 1.7.1 allows context-dependent attackers to reuse signatures and spoof arbitrary content via crafted Reference elements in the Signature, aka "XML Signature Bypas...