Seller can steal all the bid fund by repeatedly calling finalize()

Lines of code Vulnerability details Impact Bidders' fund will be stolen by malicious seller, they can not get refund. Proof of Concept In finalize, FinalizeData memory data is local, which means in each call, data is re-initialized. By calling finalize multiple times, a malicious seller can get t...

SQL Injection inside category creation (checkIfCategoryExists)

Description A user with the permission to Add category can abuse this feature to execute his own SQL queries. Proof of Concept Static code analysis The vulnerable php code is : php public function checkIfCategoryExistsarray $categoryData: int $query = sprintf "SELECT name from %sfaqcategories WHE...

When minting legendary NFT, non-legendary NFTs are burned, but burned token approval is not revoked, burned NFT TokenURI still accessible after burning.

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. When minting legendary NFT, non-legendary NFTs are burned, only the owner of the burned nft is set to 0, emit Transfermsg.sender, getGobblerDataid.owner = address0, id; but burned token approval is not...

Open-Source Intelligence to Understand the Scope of N-Day Vulnerabilities

Open-Source Intelligence to Understand the Scope of N-Day Vulnerabilities By Charles McFarland · September 21, 2022 The zero-day is the holy grail for cybercriminals; However, N-day vulnerabilities can pose problems even years after discovery. If a target is vulnerable, it doesn’t matter whether...

JSSLoader: the shellcode edition

The Malwarebytes Threat Intelligence team observed a malspam campaign in late June that we attribute to the FIN7 APT group. One of the samples was also reported on Twitter by Josh Trombley; during execution, it was observed to drop a secondary payload, written in .NET. Details about FIN7 campaign...

`rustdecimal` is a malicious crate

The Rust Security Response WG and the crates.io team were notified1 on 2022-05-02 of the existence of the malicious crate rustdecimal, which contained malware. The crate name was intentionally similar to the name of the popular rustdecimal2 crate, hoping that potential victims would misspell its...

Packj - Large-Scale Security Analysis Platform To Detect Malicious/Risky Open-Source Packages

Packj pronounced package is a command line CLI tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports...

delegatecall() modify merkleRoot, vault may lose all

Lines of code Vulnerability details Impact If the vault contract delegatecall the malicious contract by execute，the important variable merkleRoot can be modified. If the merkleRoot is set well designed, the vault will lose all tokens. Because, there are two main requirements for function execute ...

Fee is being deducted when Put is expired and not when it is exercised.

Lines of code Vulnerability details Impact Fee is being deducted when Put is expired and not when it is exercised in PuttyV2.sol. Comment section of the setFee function mentions "fee rate that is applied on exercise" which signifies that the fee amount is meant to be deducted from strike only whe...

WP All Import < 3.6.8 - Admin+ Arbitrary File Upload

The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE As an admin upload a php file containing the palyload zipped along with a valid XML...

llvm-toolset:rhel8 bug fix update

An update is available for compiler-rt, lldb, lld, llvm, llvm-toolset, clang, libomp, python-lit. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list LLVM Toolset...

ERC1155 support unchecked - NFT can be lost

Lines of code Vulnerability details Impact It is not checked whether withdrawn token supports ERC1155 interface. Also there is no check to see if necessary approval have been set for sending nft The fix need to be applied for all other functions withdrawing ERC1155 Proof of Concept 1. Observe the...

LambdaGuard - AWS Serverless Security

AWS Lambda is an event-driven, serverless computing platform provided by Amazon Web Services. It is a computing service that runs code in response to events and automatically manages the computing resources required by that code. LambdaGuard is an AWS Lambda auditing tool designed to create asset...

block.timestamp as time proxy

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. 1. block.timestamp used as time proxy a. Summary: Risk of using block.timestamp for time should be considered. b. Details: block.timestamp is not an ideal proxy for time because of issues with...

Fund theft in redeemToken() because of rounding in division

Lines of code Vulnerability details Impact When user use redeemToken to get his tokens and burn his shares in FeildSource because of rounding in division user's share balance decrease is going to be lower than corresponding withdraw amount in value. for example if token's decimal was 1 and...

detekt 代码问题漏洞

detekt is a static code analysis tool for the Kotlin programming language. A security vulnerability exists in detekt that stems from an improperly restricted XML external entity reference...

Wrong shareChange() function (vToken.sol)

Lines of code Vulnerability details Impact Users can get the wrong amount of vToken = Make users lose their fund Proof of Concept Base on the code in function shareChange in vToken.sol Assume that if oldShare = totalSupply 0, newShares = amountInAsset totalSupply - oldShares / assetBalance -...

PaladinRewardReserve.sol may have potential bugs if it uses new tokens as rewards

Lines of code Vulnerability details Impact PaladinRewardReserve.sol may have potential bugs if it uses new tokens as rewards. Proof of Concept Currently, PaladinRewardReserve.sol has following behaviors: mappingaddress = bool public approvedSpenders does not store the info regarding which token i...

Fedora: Security Advisory for radare2 (FEDORA-2022-85b277e748)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 36 Update: radare2-5.6.4-1.fc36

The radare2 is a reverse-engineering framework that is multi-architecture, multi-platform, and highly scriptable. Radare2 provides a hexadecimal editor, wrapped I/O, file system support, debugger support, diffing between two functions or binaries, and code analysis at opcode, basic block, and...