CVE-2025-69871

A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage...

UBUNTU-CVE-2025-69871

A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage...

CVE-2025-69871

A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage...

CVE-2025-69871

A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage...

CVE-2025-69871

A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage...

PT-2026-7635

Name of the Vulnerable Software and Affected Versions MedusaJS versions prior to 2.12.2 Description A race condition exists in the registerUsage function within the promotion module. This function uses a non-atomic read-check-update process when managing promotion usage limits. This allows...

EUVD-2012-5689

Malware in sbrugna...

CVE-2012-5809

The Groupon Redemptions application for Android does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

IF THE UNDERLYING ASSET IS A FEE ON TRANSFER TOKEN IT COULD BREAK THE INTERNAL ACCOUNTING OF THE VAULT

Lines of code Vulnerability details Impact The Vault.deposit function is used by the users to deposit assets to the vault and mint vault shares to the recipient address. The amount of assets are transferred to the Vault as follows: SafeERC20.safeTransferFrom asset, caller, addressthis,...

User may get less tokens than expected when collateral list order changes

Lines of code Vulnerability details Impact The order of ts.collateralList is not stable: Whenever LibSetters.revokeCollateral is used to revoke a collateral, it may change because of the swap that is performed. However, the function Redeemer.redeem relies on this order, as the user has to provide...

If completeRedemptions is called multiple times to redeem one epoch, the complex calculation may result in incorrect redemptions

Lines of code Vulnerability details Impact When MANAGERADMIN calls the completeRedemptions function, it requires that both redeemers and refundees have KYC. If the redeemer loses KYC, the redeemer's address will not appear in redeemers and refundees, otherwise completeRedemptions will fail...

Rounding error "confiscastes" some collateral

Lines of code Vulnerability details Impact There are no adjustments for collateral that is not returned on redemptions due to rounding errors. It will stay in the assetSender however, it will look as if was fully paid out. The rounding error also depends on the burned quantity, so it may be...

Values in redemptions do not match, and fees are being overcharged

Lines of code Vulnerability details Impact The amount of collateral to distribute collateralAmountToDist does not need to match the sum of fees actually distributed the sum of collateralAmountDue in the events of processRedemption. The real distributed amount can be smaller. However, the fees are...

Not resetting totalBurned in CashManger will break user redemptions

Lines of code Vulnerability details Not resetting totalBurned in CashManger will break user redemptions The current implementation in CashManager.completeRedemptions is not updating the totalBurned amount in an epoch if there was a refund. The problem is, that if not all user redemptions can be...

CVE-2012-5809

The Groupon Redemptions application for Android does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

Code injection

The Groupon Redemptions application for Android does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

CVE-2012-5809

The Groupon Redemptions application for Android does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

CVE-2012-5809

The CVE-2012-5809 entry describes the Groupon Redemptions Android app failing to verify that the server hostname matches the CN or subjectAltName in the server’s X.509 certificate. This weakness allows MITM attackers to spoof SSL servers using an arbitrary valid certificate. The vulnerability is ...