GHSA-VJ64-RJF3-W3V7 Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss

Impact - Key: challenger/src/multifieldchallenger.rs | MultiField32Challenger::duplexing | transcriptmalleability - Affected files: challenger/src/multifieldchallenger.rs, field/src/helpers.rs - Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed fiel...

monerochan-stark (>=5.2.2 <=5.2.12), p3-circle (>=0.1.0 <=0.4.3-succinct) +30 more potentially affected by CVE-2026-46654 via p3-challenger (>=0.1.0 <=0.4.3-succinct)

p3-challenger CARGO version =0.1.0, =5.2.2, =0.1.0, =0.1.0, =0.1.0, =0.1.5-succinct, =0.1.0, =0.1.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.2 and more Source cves: CVE-2026-46654 Source advisory: OSV:GHSA-VJ64-RJF3-W3V7...

Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss

Impact - Key: challenger/src/multifieldchallenger.rs | MultiField32Challenger::duplexing | transcriptmalleability - Affected files: challenger/src/multifieldchallenger.rs, field/src/helpers.rs - Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed fiel...

charms-sdk (>=0.3.0 <=0.6.3), kzg-rs (>=0.2.3-sp1-4.0.0 <=0.2.5) +77 more potentially affected by unknown CVE via p3-symmetric (>=0.1.0 <=0.4.3)

p3-symmetric CARGO version =0.1.0, =0.3.0, =0.2.3-sp1-4.0.0, =0.20.0, =0.11.0, =5.2.2, =5.2.5, =5.2.2, =0.1.0, =0.4.0, =0.1.0, =0.4.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.4.3-succinct and more Source cves: unknown CVE Source advisory: OSV:GHSA-3G92-F9CH-QJCM...

CVE-2019-12167

httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter...

EUVD-2019-3816

Malware in sbrugna...

challenger.com Cross Site Scripting vulnerability OBB-3926760

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Challenger can change the output root or delete output root arbitrarily to authorize invalid withdrawal or block withdrawal infinitely

Lines of code Vulnerability details Impact Challenger can change the output root or delete output root arbitrarily Proof of Concept In the OptimismPortal.sol, when prove and finalize the transaction the output root needs to be verificated // Grab the OutputProposal from the L2OutputOracle, will...

The owner of position can mint zchf unlimitedly by becoming the challenger that successfully challenges their own position to receive unlimit reward.

Lines of code Vulnerability details Summary The owner of position can become the challenger of his position and end the challenge within the same block after the open the position to earn unlimited reward. By executing within the same block, the owner could prevent the intervention of other...

Attacker can extract unlimited ZCHF by setting a high price for a position and challenging it

Lines of code Vulnerability details An attacker can act as both minter and challenger, and profit by setting an arbitrarily high price for a position way higher than what the collateral really is worth, and then immediately challenging the position. After the challenge succeeds, the attacker will...

Challenger incentives can be inflated with external transfers

Lines of code Vulnerability details Impact The function notifyChallengeSucceeded calculates the volume of ZCHF to be repaid, which is then used to calculate the reward for the challenger. The challenger can however artificially inflate this value. A challenger can start a challenge on an...

CVE-2019-12167

httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter...

Design/Logic Flaw

httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter...

CVE-2019-12167

httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter...

CVE-2019-12167

httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter...

CVE-2019-12167

The CVE-2019-12167 entry affects Emerson Network Power Liebert Challenger 5.1E0.5 devices. The vulnerability exists in httpGetSet/httpGet.htm via the statusstr parameter, enabling Cross Site Scripting (XSS). Reported impact is that a remote attacker can inject scripts into a request and have the ...

Emerson Network Power Liebert Challenger 5.1E0.5 Cross Site Scripting

I. VULNERABILITY ------------------------- httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter. II. CVE REFERENCE ------------------------- CVE-2019-12167 III. VENDOR ------------------------- Emerson Network Power IV. TIMELINE...

challengeritalia.gazzetta.it XSS vulnerability

Open Bug Bounty ID: OBB-683684 Description| Value ---|--- Affected Website:| challengeritalia.gazzetta.it Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3...

Robin - the Siri Challenger - Base64 encoded String, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application Robin - the Siri Challenger published at the 'play' market has multiple vulnerabilities...

Challenger Comics Viewer - Customized SSL, Insecure KeyStore, Redefined SSL Common Names verifier vulnerabilities

HackApp vulnerability scanner discovered that application Challenger Comics Viewer published at the 'play' market has multiple vulnerabilities...