Lucene search
K

30 matches found

Code423n4
Code423n4
added 2023/08/10 12:0 a.m.6 views

Anyone can call the perform function because there is no access control

Lines of code L31-L75 Vulnerability details Impact Anyone can call the perform function. It can lead to unauthorized changes in the security council. Proof of Concept There is no access control in the perform function and it is marked "external". function performaddress securityCouncil, address...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/08/10 12:0 a.m.11 views

Consider Disabling Inherited _cancel Function In The Governor Contracts

Lines of code Vulnerability details Impact The currently used openzeppelin upgradeable contracts dependency @openzeppelin/contracts-upgradeable is v4.7.3 The security council management contracts are inheriting the openzeppelin GovernorUpgradeable contracts to manage proposals. This version of...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/08/10 12:0 a.m.8 views

replaceMember&rotateMember; has no voting process

Lines of code Vulnerability details Impact The execution of the two methods replaceMember&rotateMember does not implement the voting process, which will violate the provisions of the following articles Address rotation: As a practical matter, a council member can rotate one of their own keys. Thi...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/08/10 12:0 a.m.10 views

Any of the role setter , nominee Vetter should not be a council (cohort) member.

Lines of code Vulnerability details Impact The privileged cohort membercouncil member can influence the member addition, removal, rotating the nominee and excluding the nominee. The function of election can be rigged, arbitrary proposals can be passed. This is easy by the council member who has...

7.3AI score
Exploits0
Code423n4
Code423n4
added 2023/08/10 12:0 a.m.13 views

SecurityCouncilMemberSyncAction.perform is not exclusively can be scheduled from SecurityCouncilManager's operations

Lines of code Vulnerability details Impact SecurityCouncilMemberSyncAction.perform is a crucial function that will be triggered by upgrade executor via delegate call after the whole election process or after current members do some update add/remove/replace/rotate to update security council...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/08/10 12:0 a.m.11 views

GovernanceChainSCMgmtActivationAction : TIMELOCK_CANCELLER_ROLE is not set to the newEmergencySecurityCouncil

Lines of code Vulnerability details Impact newEmergencySecurityCouncil will not have the TIMELOCKCANCELLERROLE. Proof of Concept GovernanceChainSCMgmtActivationAction has the function perform which will be used to activate elections on Arbitrum One. while the function set and revoke the...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/08/10 12:0 a.m.11 views

Security council election are vulnerable to signature replay attack

Lines of code Vulnerability details Impact SecurityCouncilNomineeElectionGovernor and SecurityCouncilMemberElectionGovernor contracts both inherit castVoteWithReasonAndParamsBySig function from the base GovernorUpgradeable contract, but implement custom countVote function respectively. The...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/08/10 12:0 a.m.12 views

Anyone can change the members of Security Council

Lines of code Vulnerability details Impact Anyone can change the members of security council by calling the function perform in the contract SecurityCouncilMemberSyncAction.sol as the function is open to all. Proof of Concept uint256 updateNonce = getUpdateNoncesecurityCouncil; if nonce =...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/08/10 12:0 a.m.11 views

electionToTimestamp() might return incorrect timestamps depending on the day of the first election

Lines of code Vulnerability details Bug Description For nominee elections, election dates are determined using the the electionToTimestamp function in the SecurityCouncilNomineeElectionGovernorTiming module. When SecurityCouncilNomineeElectionGovernor is initialized after deployment, the first...

6.6AI score
Exploits0
Code423n4
Code423n4
added 2023/08/10 12:0 a.m.12 views

Anyone can call perform in SecurityCouncilMemberSyncAction to update members of security council multisig

Lines of code Vulnerability details Impact Anyone can update members of security council multisig Proof of Concept SecurityCouncilMemberSyncAction contract has a perform function which is used to update members of security council multisig. File: SecurityCouncilMemberSyncAction.sol /// @notice...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/08/09 12:0 a.m.8 views

The upgrade executor is granted the canceller role instead of the new emergency security council.

Lines of code Vulnerability details Impact In L1SCMgmtActivationAction.sol, the perform function is not granting role to the new emergency security council. It instead grants it to the upgrade executor. This logic doesn't align with the function inline comment and can prevent the perform function...

6.8AI score
Exploits0
Malwarebytes
Malwarebytes
added 2023/07/19 1:0 a.m.27 views

Microsoft validation error allowed state actor to access user email of government agencies and others

Microsoft is getting criticized for the way in which it handled a serious security incident that allowed a suspected Chinese espionage group to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. The attacks were...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/11/04 12:0 a.m.9 views

The governor can use the replay attack to manipuate the votes in his favor

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. Since the argument of function approveEmergencyDiamondCutAsSecurityCouncilMember does not have the proposalID, a governor can use replay attack to manipulate the votes in his favor, that is, even not...

7.2AI score
Exploits0
CNVD
CNVD
added 2022/04/01 12:0 a.m.26 views

Firmware Analysis and Comparison Tool跨站请求伪造漏洞

Firmware Analysis and Comparison Tool FACT is a firmware analysis and comparison tool. firmware Analysis and Comparison Tool version v3.2 contains a cross-site request forgery vulnerability that stems from a WEB application that does not adequately validate that the request is from a trusted user...

8.8CVSS2.4AI score0.00423EPSS
Exploits1References1
The Hacker News
The Hacker News
added 2022/03/02 2:47 p.m.30 views

Hackers Try to Target European Officials to Get Info on Ukrainian Refugees, Supplies

Details of a new nation-state sponsored phishing campaign have been uncovered setting its sights on European governmental entities in what's seen as an attempt to obtain intelligence on refugee and supply movement in the region. Enterprise security company Proofpoint, which detected the malicious...

0.4AI score
Exploits0
ThreatPost
ThreatPost
added 2021/01/07 10:21 p.m.37 views

Biden to Appoint Cybersecurity Advisor to NSC – Report

President-elect Joe Biden has reportedly tapped the National Security Agency’s cybersecurity director to serve in a brand-new cyber-role on his National Security Council. Anne Neuberger, a more than 10-year veteran of the NSA and its cyber-chief since 2019, will become the country’s deputy nation...

0.5AI score
Exploits0References7
Wired Threat Level
Wired Threat Level
added 2019/05/13 9:59 p.m.72 views

How Tech Helped the NSC Change the US Way of War

The National Security Council has gained enormous influence over the last few decades—thanks in no small part to better tech...

0.4AI score
Exploits0
ThreatPost
ThreatPost
added 2018/06/04 9:9 p.m.46 views

Federal Agencies Face an Uphill Battle in Cyber-Preparedness

In the wake of the elimination of the federal cybersecurity czar position, the latest federal cybersecurity preparedness report from the Office of Management and Budget OMB and the Department of Homeland Security DHS shows that U.S. government is nowhere near ready for prime time when it comes to...

7AI score
Exploits0References7
ThreatPost
ThreatPost
added 2016/09/09 12:43 p.m.9 views

White House Hires First Federal CISO

The White House announced yesterday it has hired retired Brigadier General Gregory J. Touhill, right, to serve as the first federal chief information security officer. Touhill will be responsible for setting policies, strategies and practices across federal agencies. According to a White House bl...

6.8AI score
Exploits0References6
ThreatPost
ThreatPost
added 2016/02/04 3:51 p.m.12 views

Government Promises Comment Period on Next Wassenaar Draft

It’s been months since the U.S. Commerce Department’s Bureau of Industry and Security pulled the U.S. implementation of the Wassenaar Arrangement off the table for an unusual rewrite of the rules governing so-called intrusion software. The overly broad rule drew the ire of security and privacy...

0.3AI score
Exploits0References4
Rows per page
Query Builder