Weak Cryptography

github.com/supranational/blst is vulnerable to Weak Cryptography. The vulnerability exists due to logic errors in SigValidate function which results in group-check omission...

Cross-Site Scripting (XSS)

github.com/golang/net is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly escape user input in text nodes outside the HTML namespace, allowing an attacker to inject and execute malicious JavaScript on a victim's browser...

Denial Of Service (DoS)

github.com/golang/go is vulnerable to Denial Of Service DoS. The vulnerability exists because handshakeclient.go does not set a max RSA key size, which can lead to extremely large RSA keys in certificate chains causing a client to expend significant CPU time to verify signatures. The fix sets the...

Cross-site Scripting (XSS)

github.com/usememos/memos is vulnerable to Cross-site Scripting XSS. The vulnerability exists in registerResourceRoutes function at resource.go due to insufficient checks on external resources which allows an attacker to inject and execute arbitrary javascript...

Cross-site Scripting (XSS)

github.com/usememos/memos is vulnerable to stored Cross-site Scripting XSS. The vulnerability exists in registerResourcePublicRoutes function at resource.go because the resources upload feature does not restrict the type of uploaded file, allowing an attacker to inject and execute arbitrary...

Cross-site Scripting (XSS)

github.com/usememos/memos is vulnerable to stored Cross-site Scripting XSS. The vulnerability exists registerResourcePublicRoutes function at resource.go because the default-src in CSP is not properly configured which allows an attacker to bypass the CSP, inject and execute arbitrary javascript...

X/crisis Does Not Charge ConstantFee

github.com/cosmos/cosmos-sdk is vulnerable to inconstant Fee. If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is NOT charged. All versions of the x/crisis module are affected on all versions of the Cosmos SDK...

Denial Of Service (DoS)

github.com/hamba/avro is vulnerable to Denial Of Service DoS. The vulnerability exists in the ReadString function of reader.go because config.go does not properly restrict the maximum size of bytes and string types, allowing an attacker to cause an application crash by providing a maliciously...

CRLF Injection

github.com/golang/go is vulnerable to CRLF Injection. The vulnerability exists because the library does not properly sanitize the Request.Host field, which allows an attacker to send a maliciously crafted Host field through the request header...

Denial Of Service (DoS)

github.com/cometbft/cometbft is vulnerable to Denial of Service DoS attacks. A deadlock is introduced when serializing the struct PeerState to JSON when the new method MarshallJSON is used. One way is via Logs, putting the consensus module to debug level, and changing the output format to JSON. O...

Denial Of Service (DoS)

github.com/cometbft/cometbft is vulnerable to Denial of Service DoS attacks. A list and a map are the two data structures that the mempool utilizes to keep track of unfinished transactions. The same transaction may occur several times if these structures are out of sync, even though they should b...

Open Redirect

github.com/go-gitea/gitea is vulnerable to Open Redirect. The vulnerability exists due to improper path sanitization in the RedirectToFirst function, which allows an attacker to pass a crafted POST request, redirecting the victim to a malicious site...

Denial Of Service (DoS)

github.com/corazawaf/coraza is vulnerable to Denial Of Service DoS. The vulnerability exists in the Read function of multipart.go due to misuse of the log.Fatalf function, which allows an attacker to cause an application crash by providing maliciously crafted requests...

GO-2023-1881 The x/crisis package does not charge ConstantFee in github.com/cosmos/cosmos-sdk

If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is not charged. No patch will be released, as the package is planned to be deprecated and replaced...

Improper Authentication

github.com/labring/sealos is vulnerable to Improper Authentication. The vulnerability exists due to Improper configuration in RBAC permissions, which allows an attacker to gain access and perform unauthorized actions...

Weak Cryptography

github.com/bishopfox/sliver is vulnerable to weak cryptography. The vulnerability exists because it does not properly implement Nacl Box libsodium, which allows an attacker to execute arbitrary codes on implanted devices and intercept user responses...

GHSA-W5W5-2882-47PC github.com/cosmos/cosmos-sdk's x/crisis does not charge ConstantFee

x/crisis does not charge ConstantFee Impact If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is NOT charged. All versions of the x/crisis module are affected on all versions of the Cosmos SDK. Details The x/crisis module is supposed to...

Almost all of the github.com/cosmos/cosmos-sdk/types will be deprecated

Lines of code Vulnerability details Impact Codes in the scope won't work if the would be updated. Proof of Concept It is clearly seen that in the it is fixed version of v0.45.9. However, in next version of cosmos-sdk all of the Int methods will be deprecated. Almost all of the code in the scope i...

GO-2023-1861 Cosmos "Barberry" vulnerability in github.com/cosmos/cosmos-sdk

The cosmos-sdk module is affected by the vulnerability codenamed "Barberry"...

Privilege Escalation

github.com/stolostron/governance-policy-propagator is vulnerable to Privilege Escalation. In a formed policy, the library makes it possible for dynamically acquired policies to leverage cluster scoped access, enabling a local attacker to access resources from the namespace where the policy was...