Lucene search
K

152 matches found

Positive Technologies
Positive Technologies
added 2023/09/12 12:0 a.m.2 views

PT-2023-5088 · Microsoft · Exchange Server

Name of the Vulnerable Software and Affected Versions: Microsoft Exchange Server affected versions not specified Description: The issue is related to errors in access control. It allows a remote attacker to execute arbitrary code in the context of the server account by making a network call. This...

8CVSS9.8AI score0.74671EPSS
Exploits0References9
NVD
NVD
added 2023/09/11 9:15 p.m.35 views

CVE-2023-35667

In updateList of NotificationAccessSettings.java, there is a possible way to hide approved notification listeners in the settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

7.8CVSS7.8AI score0.00083EPSS
Exploits0References2
Cvelist
Cvelist
added 2023/09/11 8:9 p.m.24 views

CVE-2023-35667

In updateList of NotificationAccessSettings.java, there is a possible way to hide approved notification listeners in the settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

8AI score0.00083EPSS
Exploits0References2
Code423n4
Code423n4
added 2023/09/07 12:0 a.m.34 views

The rUSDY.transferFrom function can cause reentrancy if is a contract been approved

Lines of code Vulnerability details Impact The rUSDY.transferFrom function can cause reentrancy if is a contract been approved, the function looks like: function transferFrom address sender, address recipient, uint256 amount public returns bool uint256 currentAllowance = allowancessendermsg.sende...

6.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2023/06/12 7:50 p.m.31 views

Doorkeeper Improper Authentication vulnerability

OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252section-8.6 the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured. This includes the case where the user has previously...

6.5CVSS6.4AI score0.00716EPSS
Exploits1References10Affected Software1
OSV
OSV
added 2023/05/24 10:15 p.m.3 views

CVE-2022-4815

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods...

8.8CVSS5.8AI score0.00628EPSS
Exploits0References1
Code423n4
Code423n4
added 2023/03/18 12:0 a.m.6 views

User can fuse an NFT with minimal cost

Lines of code Vulnerability details Impact User can fuse an NFT with minimal cost Proof of Concept The fuse is used to fuse a new Namespace NFT with the referenced tiles,if it is called, the protocol will transfer fusing costs from msg.sender to revenue address. The fusing costs is calculated...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/02/02 12:0 a.m.14 views

An approved operator of a CID NFT owner can steall any subprotocol NFTs from the CID NFT Owner and his other approved operators.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. An approved operator of a CID NFT owner, if becomes malicious or compromised, can steal any subprotocol NFTs from the CID NFT Owner and his other approved operators. This is possible because: after...

6.9AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2023/01/24 3:0 p.m.25 views

Rapid7 Added to Carahsoft GSA Schedule Contract

We are happy to announce that Rapid7 has been added to Carahsoft’s GSA Schedule contract, making our suite of comprehensive security solutions widely available to Federal, State, and Local agencies through Carahsoft and its reseller partners. “With the ever-evolving threat landscape, it is...

0.3AI score
Exploits0
Code423n4
Code423n4
added 2022/12/12 12:0 a.m.13 views

Liquidity cannot be removed by an approved address via Router

Lines of code Vulnerability details Impact Using the Router, liquidity can only be removed by the owner of an NFT, which significantly limits liquidity management. The Pool contract, however, does allow approved addresses to remove liquidity. Proof of Concept The Router contract is a higher level...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/09/25 12:0 a.m.13 views

A mistake made by the Minters can result in minting tokens to a wrong address or a zero address.

Lines of code Vulnerability details Impact Tokens can be minted to a wrong address. Proof of Concept The function mintermint is used by the Minters, to mint tokens to the users that successfully used the functions submitAndDeposit, submit and submitAndGive. However there is no check in mintermint...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/09/19 12:0 a.m.10 views

Improper access control in withdraw at Vault.sol

Lines of code Vulnerability details Impact Anyone can withdraw on behalf of approved user Proof of Concept Function withdraw at Vault.sol has incorrect access control. As the owner is passed as a parameter anyone can call withdraw to a approved receiver. This is the same logic used in...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/09/01 12:0 a.m.14 views

Swap at the lower cushion is impossible due to non approved withdrawal. Wrong implementation can cause free swaps.

Lines of code Vulnerability details Impact Currently it is not clear how the swap user is approved for withdrawing from treasury. Depending on implementation, user could swap without spending any tokens, due to approval mechanism in the TRSRY module. Description In the swap function it should be...

6.8AI score
Exploits0
OSV
OSV
added 2022/06/01 12:15 a.m.3 views

CVE-2021-27778

HCL Traveler is vulnerable to a cross-site scripting XSS caused by improper validation of the Name parameter for Approved Applications in the Traveler administration web pages. An attacker could exploit this vulnerability to execute a malicious script to access any cookies, session tokens, or oth...

4.8CVSS5.8AI score0.00352EPSS
Exploits0References1
NVD
NVD
added 2022/06/01 12:15 a.m.15 views

CVE-2021-27778

HCL Traveler is vulnerable to a cross-site scripting XSS caused by improper validation of the Name parameter for Approved Applications in the Traveler administration web pages. An attacker could exploit this vulnerability to execute a malicious script to access any cookies, session tokens, or oth...

4.9CVSS0.00352EPSS
Exploits0References1
Code423n4
Code423n4
added 2022/05/30 12:0 a.m.6 views

Approved spender can not withdraw or merge

Lines of code Vulnerability details In the current implementation, withdraw and merge veNFT can be called by approved spender or token owner. function withdrawuint tokenId external nonreentrant assertisApprovedOrOwnermsg.sender, tokenId; function mergeuint from, uint to external...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/05/29 12:0 a.m.14 views

withdraw() and merge() functions of VotingEscrow won't work when an approved user(not owner) calls because _burn() function fails.

Lines of code Vulnerability details Impact withdraw and merge functions of VotingEscrow won't work when an approved usernot owner calls. Proof of Concept withdraw and merge functions call burn function inside and burn function calls removeTokenFrom using msg.sender. But removeTokenFrom requires...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/05/27 12:0 a.m.25 views

VotingEscrow's merge and withdraw aren't available for approved users

Lines of code Vulnerability details Users who are approved, but do not own a particular NFT, are supposed to be eligible to call merge and withdraw from the NFT. Currently burn, used by merge and withdraw to remove the NFT from the system, will revert unless the sender is the owner of NFT as the...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2022/03/01 6:44 p.m.29 views

Uber: Uber Test Report 20220301

Test summary from Team Uber. This is the summary from secret John. This is the edit from hacker John after disclosure was approved. Second test after disclosure...

0.3AI score
Exploits0
Code423n4
Code423n4
added 2022/01/13 12:0 a.m.11 views

Malicious Market Creators Can Steal Tokens From Unsuspecting Approved Reference Accounts

Handle leastwood Vulnerability details Impact The current method of market creation involves calling Factory.createMarket with a list of approved conditions and references accounts. If a registered template address has templatesaddresstemplate.isOpen == true, then any user is able to call...

6.9AI score
Exploits0
Rows per page
Query Builder