Ping Identity PingIDM 7.5.0 Query Filter Injection

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Query Filter Injection product: Ping Identity PingIDM formerly known as ForgeRock Identity Management vulnerable version: v7.0.0 - v7.5.0 and older unsupported versions...

OverInflation or OverDeflation of Value of ERC20 tokens with unequal Wrap and Unwrap Token Decimal

Lines of code Vulnerability details Impact Due to wrong parameter arrangement of convertDecimals... function call during the course of wrap and unwrap of erc20 token function call, OverInflation or OverDeflation of Value of ERC20 tokens with unequal Wrap and Unwrap Token Decimal which would cause...

RTokenAsset price oracle can return a huge but valid high price when any underlying collateral's price oracle timeout

Lines of code Vulnerability details The RTokenAsset is an implementation of interface IRTokenOracle to work as a oracle price feed for the little RToken. RTokenAsset implements the latestPrice function to get the oracle price and saved time from the cachedOracleData, which is updated by...

The Asset.lotPrice doubles the oracle timeout in the worst case

Lines of code Vulnerability details When the tryPrice function revert, for example oracle timeout, the Asset.lotPrice will use a decayed historical value: uint48 delta = uint48block.timestamp - lastSave; // s if delta = oracleTimeout + priceTimeout return 0, 0; // no price after full timeout else...

setThreshold can bypass cool down period in setGSCAllowance

Lines of code Vulnerability details Impact setThreshold can bypass the cool down period in setGSCAllowance and decrease the gscAllowancetoken. Proof of Concept In setGSCAllowance, we add a cool-down period of 7 days for the admin to set a new allowance to gscAllowancetoken either increase or...

Block Gas Calculation Error

Lines of code Vulnerability details Impact Two instances of Block gas usage calculation error can be spotted at L360 and L386 of ArcadeTreasury.sol contract. Based on the comment of code description, it can be deduced that the purpose of this line of code is to calculate block gas limit in other ...

GHSA-PXFV-7RR3-2QJG copyparty vulnerable to path traversal attack

Summary All versions before 1.8.2 have a path traversal vulnerability, allowing an attacker to download unintended files from the server. Details Unauthenticated users were able to retrieve any files which are accessible according to OS-level permissions from the copyparty process. Usually, this ...

AmbireAccount.isValidSignature() does not cover recovery signatures

Lines of code Vulnerability details Impact A recovery key can sign for a recovery but cannot get isValidSignature to return that it is valid. Proof of Concept AmbireAccount.isValidSignature is implemented as follows function isValidSignaturebytes32 hash, bytes calldata signature external view...

[H-02] Owner cannot freeze and thus cannot slash a queued withdraw that has the delegatedAddress being the 0 address.

Lines of code Vulnerability details canSlash checks to see if the block number is less than whitelistedContractDetailstoBeSlashedslashingContract, which will be 0 if a user has not delegated an address. This will revert freezeOperatorand not allow an owner/watcher to freeze the address, and thus...

Share accounting is incorrect

Lines of code Vulnerability details Bug Description Share Distrbution In the Equity contract, the amount of shares minted to a depositor is determined using calculateSharesInternal: Equity.solL266-L270 function calculateSharesInternaluint256 capitalBefore, uint256 investment internal view returns...

Owner unable to withdraw the amount since depositDeadline values already expired

Lines of code Vulnerability details Impact The stakermsg.sender lose his amount permanently once depositDeadline is over Proof of Concept DEPOSIT : function deposituint256 amount external override onlyOwner // slither-disable-next-line timestamp if block.timestamp depositDeadline revert...

Unchecked Return Values in SwapHelper.swap.

Lines of code Vulnerability details Impact SafeTransferLib.safeTransfertokenIn, msg.sender, amount0Delta 0 ? uint256amount0Delta : uint256amount1Delta; If the pool does not have enough liquidity, the UniswapV2Library functions will return a failure, but the SwapHelper.swap function does not...

Wrong value of MONTH_IN_SECONDS could make it impossible to recover NFT in 7 years

Lines of code Vulnerability details Impact Constant MONTHINSECONDS has incorrect value. Instead of 1 month, it has the value of 7 months. // @dev about 30 days in a month uint256 immutable MONTHINSECONDS = 3600 24 7 30; // @audit wrong value, could allow bufferTime and recoverTimelock become too...

owner can withdraw the NFT at any time if they wait with starting the draw until after recoverTimelock

Lines of code Vulnerability details Description When creating a random draw the owner specifices a recoverTimelock which is a last resort option to recover the raffled NFT if the draw fails. There are some validations that this is between a week and a year in the future but there's no guarantee...

WordPress Theme Enfold 4.8.3 - Reflected Cross-Site Scripting (XSS)

Exploit Title: WordPress Theme Enfold 4.8.3 - Reflected Cross-Site Scripting XSS Google Dork: "inurl:avia-element-paging" Date: 18/10/2021 Exploit Author: Francisco Díaz-Pache Alonso, Sergio Corral Cristo and David Álvarez Robles Vendor Homepage: https://kriesi.at/ Version: Enfold This URL must...

WordPress Theme Enfold 4.8.3 - Reflected Cross-Site Scripting Vulnerability

Exploit Title: WordPress Theme Enfold 4.8.3 - Reflected Cross-Site Scripting XSS Google Dork: "inurl:avia-element-paging" Exploit Author: Francisco Díaz-Pache Alonso, Sergio Corral Cristo and David Álvarez Robles Vendor Homepage: https://kriesi.at/ Version: Enfold This URL must include pages show...

Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace

Related to issue 1490 . When parsing ShadingPatterns; according to the specification they shouldn't be permitted to have a pattern colorspace as their base colorspace, but this is not validated, leading to out-of-bounds reads when rendering using the malformed shading pattern. bool...

TSiteBuilder 1.0 - SQL Injection Vulnerability

Exploit for php platform in category web applications Exploit Title: TSiteBuilder 1.0 - SQL Injection Dork: N/A Date: 27.01.2018 Vendor Homepage: http://www.datacomponents.net/ Software Link: http://www.datacomponents.net/products/website/ Version: 1.0 Category: Webapps Tested on:...

Photo Vault v1.2 iOS - Insecure Authentication Vulnerability

Document Title: =============== Photo Vault v1.2 iOS - Insecure Authentication Vulnerability References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=2110 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20371 CVE-ID: ======= CVE-2018-20371 Release Date:...

FS Lynda Clone 1.0 - SQL Injection

FS Lynda Clone 1.0 - SQL Injection...