Transfer reminder of msg.value is bad practice

Lines of code Vulnerability details Impact Transfer reminder of msg.value is bad practice. Can lead to out of gas, reentrancy and so on. Proof of Concept Tools Used Static analytics Recommended Mitigation Steps Can create method getReminder and user to call to get all reminders for him. --- The...

quorumvotes() on LogicV2 changed its signature.

Lines of code Vulnerability details Impact The team states: // NounsDAOLogicV2 removes: // - quorumVotes has been replaced by quorumVotesuint256 proposalId. But the signature of the function changed. It is a read-only function and it is hard to imagine a bad transaction flow with it. But is a bad...

TributeAccrual missing out-of-bounds checks

Handle cmichel Vulnerability details Vulnerability Details The addTribute and addGovernanceTribute functions underflow when there are no tributes: Tribute storage lastTribute = tributestotalTributes - 1 = tributes-1; // underflow Impact It's bad practice and the iteration with the offset in...

Kubernetes: Plaintext storage of a password on kubernetes release bucket

Report Submission Form Summary: During my recon I found these two buckets dl.k8s.io and dl.kubernetes.io which actually redirects to https://storage.googleapis.com/kubernetes-release/. By searching the string "password" under https://storage.googleapis.com/kubernetes-release/ I found a file calle...

Nextcloud: The password recovery let users know whether an email address exists or not in the website

URL: https://apps.nextcloud.com/password/reset/ I have tried to recover the password for some emails: [email protected] exists [email protected] does not exists After I clicked the "reset my password"'s button, the website informed that the email did not exist. Impact This is a bad practice, and it ...

bitbucket attempted security breach

Bitbucket https://bitbucket.org/socialauth/migrate/?next=/ is asking for my atlassian password. Asking for a password for another website is at best bad practice...