CVE-2025-6109 javahongxi whatsmars InitializrController.java initialize path traversal

A vulnerability was found in javahongxi whatsmars 2021.4.0. It has been rated as problematic. Affected by this issue is the function initialize of the file /whatsmars-archetypes/whatsmars-initializr/src/main/java/org/hongxi/whatsmars/initializr/controller/InitializrController.java. The manipulati...

In the _initialize function of the ETHCrowdfundBase contract, when minTotalContributions is equal to maxTotalContributions, crowdfund will never reach its minimum goal in some specific scenarios

Lines of code Vulnerability details Impact In the initialize function of the ETHCrowdfundBase contract, when minTotalContributions is equal to maxTotalContributions, crowdfund will never reach its minimum goal in some specific scenarios. The ETH of users who contribute to this crowdfund will be...

CVE-2023-30681

An improper input validation vulnerability within initialize function in HAL VaultKeeper prior to SMR Aug-2023 Release 1 allows attacker to cause out-of-bounds write...

Input validation

An improper input validation vulnerability within initialize function in HAL VaultKeeper prior to SMR Aug-2023 Release 1 allows attacker to cause out-of-bounds write...

The admin address used in initialize function, can behave maliciously

Lines of code Vulnerability details N.B : This bug is different that the other one titled "Risk of losing admin access if updateAdmin set with same current admin address". Both issues are related to access control, but the impact, root cause and bug fix are different, so DO NOT mark it as dupliat...

anyone can call initialize() functions which can cause lost of funds and contract ownership

Lines of code Vulnerability details Impact Most of the smart contracts have an initialize function that anyone can call as initialize function visibility is either external or public. This could lead to a race condition when the contract is deployed. At that moment a hacker or attacker could call...

Upgraded Q -> 2 from #664 [1677633674294]

Judge has assessed an item in Issue 664 as 2 risk. The relevant finding follows: 2- Vault fees can be set greater than 1e18 in the initialize function : The Vaut contract implements 4 types of fees deposit, withdrawal, management, performance collected when the user deposits or withdraw tokens,...

Upgraded Q -> 2 from #795 [1677634099280]

Judge has assessed an item in Issue 795 as 2 risk. The relevant finding follows: 04 VALUES OF fees ARE NOT CHECKED IN Vault.initialize FUNCTION When calling the following Vault.initialize function, the values of fees are not checked. It is possible that these fees are set to be above 1e18 when...

Attacker can disable contract functionality

Lines of code Vulnerability details Impact Current setup of the protocol is vulnerable to a DoS attack. This can be achieved by anyone calling initialize on the implementation VRFNFTRandomDraw contract. With the implementation contract initialized the created clones cannot be re-initialized and...

[H-01] owner not set in Pool.sol

Lines of code Vulnerability details The pool.sol contract here is an UUPSUpgradeable contract. But there is no initialize function where Ownableinit is called , due to which owner is 0x0. It would be impossible to call authorizeUpgrade or change ownership of the contract. POC Adding the following...

JB721Delegate#initialize _fundingCycleStore lack of zero address check can lead to redeployment

Lines of code Vulnerability details Impact initialize function does not check that fundingCycleStore is not zero. Given that state variable fundingCycleStore can not be set anywhere else, setting it to zero can lead to contract redeployment POC The deployer mistakenly call JB721Delegateinitialize...

Anyone who is malicious can front-run initialize transaction to set pool's initial price to a value that deviates quite a lot from market price, which discourages users from using the pool and makes the pool useless

Lines of code Vulnerability details Impact Calling the following initialize function sets the initial price for the pool. Setting the initial price to be similar to the current market price would encourage users to use the pool. Yet, the initialize transaction is vulnerable to front-running. For...

Missing zero address check for bribesProcessor

Upgraded from 45: Missing zero address check for bribesProcessor MyStrategy.sol:100 ///@dev Change the contract that handles bribes function setBribesProcessorIBribesProcessor newBribesProcessor external onlyGovernance; bribesProcessor = newBribesProcessor; The bribeProcessor is not set in the...

Upgraded Q -> H from 45 [1655007594160]

Judge has assessed an item in Issue 45 as High risk. The relevant finding follows: Impact The CoreCollection initialize function is missing the onlyUnInitialized function. The onlyUnInitialized modifier is not used in the contract right now and this allows the initialize function to be called mor...

Users can not initialize and withdraw tokens if coinsPerSecond is 0

Lines of code Vulnerability details Impact If a user tries to claim a few totalCoins with a long vestingTime, this user will call the initialize function failed, and can not withdraw funds. Proof of Concept In MerkleResistor.sol L259: uint coinsPerSecond = totalCoins uint100 - tree.pctUpFront /...

Missing onlyUnInitialized modifier on initialize() function

Missing onlyUnInitialized modifier on initialize function Guess that onlyUnInitialized modifier were created for initialized function, but it wasn't called on the function. As the name, initialize should be called once early when the contract is deployed. But in the current implementation the...

PoolTemplate.sol initialize() can be called by attacker during deployment

Handle jayjonah8 Vulnerability details Impact In PoolTemplate.sol the initialize function sets important storage variables like conditions and references and this function can only be called once. During deployment an attacker can monitor the blockchain byte code and call the initialize function...

CVE-2017-13135

A NULL Pointer Dereference exists in VideoLAN x265, as used in libbpg 0.9.7 and other products, because the CUData::initialize function in common/cudata.cpp mishandles memory-allocation failure...

IP2location.dll 1.0.0.1 - Function 'Initialize()' Local Buffer Overflow

IP2Location.dll v1.0.0.1 Initialize Buffer Overflow by sinn3r / IP2Location.dll v1.0.0.1 Initialize Buffer Overflow Vulnerable version : v1.0.0.1 checksum: d86933ab58720c384bdc081d33684f7d patched version : v1.0.0.1 checksum: bf66e2ef8be3c301b381cfb424ad0afc, v3.0.1.0 Found and coded by sinn3r...

IP2location.dll v1.0.0.1 Function Initialize() Buffer Overflow

Exploit for windows platform in category local exploits ============================================================== IP2location.dll v1.0.0.1 Function Initialize Buffer Overflow ============================================================== IP2Location.dll v1.0.0.1 Initialize Buffer Overflow by...