188 matches found
No check for minPrice and maxPrice in the deposit() function
Lines of code Vulnerability details Impact No check for minPrice and maxPrice in the deposit function could lead to unexpected consequences Proof of Concept In the function deposit function deposit address payable privatePool, address nft, uint256 calldata tokenIds, uint256 minPrice, uint256...
totalVotingPower needs to be snapshotted for each proposal because it can change and thereby affect consensus when accepting / vetoing proposals
Lines of code Vulnerability details Impact This issue does not manifest itself in a limited segment of the code. Instead it spans multiple contracts and derives its impact from the interaction of these contracts. In the PoC section I will do my best in explaining how this results in an issue. I...
UK Sets Up Fake Booter Sites To Muddy DDoS Market
The United Kingdoms National Crime Agency NCA has been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services. The warning...
CounterV2.setNewVariable can be invoked by anyone.
Lines of code Vulnerability details Impact The CounterV2.setNewVariable is an open function which can be invoked by anyone. function setNewVariableuint256 newVariable external reinitializer2 newVariable = newVariable; This function is intended to be invoked by PluginSetupProcessor &...
Multisig: Users can approve proposals even after getting removed
Lines of code Vulnerability details Impact The Multisig contract intends to enable the creation and approval of proposals among a predetermined list of multisig addresses. The multisig addresses can be added or removed by a authorative identity. While creating a new proposal a snapshotBlock...
Use of strict condition can be manipulated
Lines of code Vulnerability details Impact The use of strict condition can be manipulated by attackers, which can lead to unforeseen consequences. Use = and = instead. Proof of Concept Tools Used Manual review Recommended Mitigation Steps Use loose condition instead like = and = instead. --- The...
Unchecked External Call Vulnerability in ownerOf Function Call.
Lines of code Vulnerability details Impact In the worst-case scenario, if the ownerOf function call reverts due to a security vulnerability in the ERC721 contract, the caller's data could be manipulated, and their funds could be at risk. This could lead to a loss of funds for users who have...
Ransomware Recovery Plan for 2023
Itâs important to defend against ransomware attacks, but is your organization prepared to deal with the consequences of a breach? Find out how to plan an effective ransomware recovery strategy...
CVE-2022-4121
In libetpan a null pointer dereference in mailimapmailboxdatastatusfree in low-level/imap/mailimaptypes.c was found that could lead to a remote denial of service or other potential consequences...
CVE-2022-4121
In libetpan a null pointer dereference in mailimapmailboxdatastatusfree in low-level/imap/mailimaptypes.c was found that could lead to a remote denial of service or other potential consequences...
Nintendo: [MK8DX] Improper ranking/replay file parsing
The vulnerability in the Mario Kart 8 Deluxe game involved improper ranking and replay file parsing. This allowed for potential exploitation, leading to potentially unintended consequences...
The patch is not sufficient: there is another insidious exploit that can cause the same critical consequences
Lines of code Vulnerability details Status Has been reported to and confirmed by Jeff ENS team Note to the Judge I am not sure whether I should label this as a newly-identified High or a mitigation hard error. The root cause of this issue seems as same as the original report, but this requires us...
[ZZ-004] During the deprecation period where both .eth registrar controllers are active, a crafted hack can be launched and cause the same malicious consequences of [ZZ-001] even if [ZZ-001] is properly fixed
Severity: High Status: Has not been reported Description, Specifically, according to the documentation, there will be a deprecation period that two types of .eth registrar controllers are active. Names can be registered as normal using the current .eth registrar controller. However, the new .eth...
Addressing Ransomware in Hospitals & Medical Devices
Ransomware attacks have been on the rise in recent years, and hospitals are increasingly becoming targets. In many cases, these attacks can have devastating consequences, disrupting vital services and putting patients' lives at risk...
Exploit for OS Command Injection in Telesquare Sdt-Cs3B1_Firmware
CVE-2021-46422 Installation Download the Python scri...
Control System Defense: Know the Opponent
Summary Traditional approaches to securing OT/ICS do not adequately address current threats. Operational technology/industrial control system OT/ICS assets that operate, control, and monitor day-to-day critical infrastructure and industrial processes continue to be an attractive target for...
CVE-2022-30625
Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences...
KrebsOnSecurity in New Netflix Series on Cybercrime
Netflix has a new documentary series airing next week -- "Web of Make Believe: Death, Lies & the Internet" -- in which Yours Truly apparently has a decent amount of screen time. The debut episode explores the far-too-common harassment tactic of "swatting" -- wherein fake bomb threats or hostage...
Hospitals taken offline after cyberattack
The GHT Coeur Grand Est has become a victim of a cyberattack on the hospital centers of Vitry-le-François and Saint-Dizier. The hospitalâs administration has warned French that data have been exfiltrated and might be used for phishing in the future. As a consequence, the GHT CĹur Grand Est has cu...
Exchange does not split royalty revenue correctly
Lines of code Vulnerability details According to the README.md If royalty information was not defined when the NFT was originally deployed, it may be added using the Royalty Registry which will be respected by our market contract. The actual exchange code only respects the Royalty Registry or oth...