[PNM-003] _totalStakedBefore_ and _totalStakedAfter_ are the always the same

Lines of code Vulnerability details Description It can be medium or high according to the off-chain logic which is not avaiable for the contest. Specifically, rebases can only be updated by function storeRebase and the only callsite of function storeRebase is in function rebase. While we have...

Code Injection in yogeshojha/rengine

Description RCE via the YAML configuration of reNgine. In this configuration, the settings of the tools used in scans can be adapted. This functionality can be abused to executy arbitrary code. PoC In the yaml configuration of reNgine, edit the extensions field of dirfilesearch to make it look li...

in hascheksolutions/pictshare

BUG ========== sha1 comparision bypass DETAILS ============= There is vulnerable code which can bypass file sha1 hash checking bypass function sha1Exists$sha1 $handle = fopenROOT.DS.'data'.DS.'sha1.csv', "r"; if $handle while $line = fgets$handle !== false ifsubstr$line,0,40==$sha1 return...

U.S. Dept Of Defense: [HTAF4-213] [Pre-submission] Unsafe AMF deserialization (CVE-2017-5641) in Apache Flex BlazeDS at the https://www.███████/daip/messagebroker/amf

The vulnerability was an unsafe AMF Action Message Format deserialization issue in Apache Flex BlazeDS, affecting the /daip/messagebroker/amf endpoint. Successful exploitation could allow an attacker to trigger a DNS lookup by sending a crafted AMF payload. The vulnerability was identified and...

U.S. Dept Of Defense: Authentication bypass and potential RCE on the https://████ due to exposed Cisco TelePresence SX80 with default credentials

The Cisco TelePresence SX80 device located at https://███████ was found to have default administrative credentials of "admin:admin", allowing authentication bypass and potential remote code execution. The device was identified as belonging to AS257 ███ and had been last used in 2017. The...

Notepad++: Command injection by setting a custom search engine

Summary: Arbitrary commands can be injected when using the "Search on Internet" function with a malicious custom search engine. The custom search engine can be set through the GUI or the config files, with different attack scenarios. Description: The "Search on Internet" context menu functionalit...

AlienVault : SSRF bypass #2 (using octal encoding) on the https://www.threatcrowd.org/domain.php

Description The latest SSRF fixes can be bypassed, using octal encoding of the AWS IP. There is other more general bypass, which can't be fixed using blacklisting - it's reported in the 288183. POC https://www.threatcrowd.org/domain.php?domain=0251.00376.000251.0000376 F237500 Suggested fix As wa...

Infogram: Stored XSS in the Custom Logo link (non-Basic plan required)

Description Hello. Recently i contacted with Infogram, and requested trial of the Business version to test some features, which was unavailable in the Basic version. I discovered the stored cross-site scripting issue in the Custom Logo link. F232084 There was some URL checks in place, but i was...

Rocket.Chat: Remote Code Execution in Rocket.Chat Desktop

Summary: The Markdown parser can be tricked into allowing arbitrary Javascript leading to "remote code execution". Description: By combining the "link" and inline code block we can trick the parser into breaking out of the current HTML attribute. This allows us to control other attributes of the...

WordPress: Buddypress 2.9.1 - Exceeding the maximum upload size - XSS leading to potential RCE.

Description This report is very similar to https://hackerone.com/bugs?subject=user&reportid=203515 so I will not go into too much details. When uploading a avatar or profile background image thats larger than allowd, the error containing the filename will be output unsanitized leading to XSS...

GSA Bounty: Information disclosure (system username) in the x-amz-meta-s3cmd-attrs response header on federation.data.gov

Description Hi. I just noticed, that you are extended the scope for the bounty program. I looked to the first resource - https://federation.data.gov/ I noticed, that the x-amz-meta-s3cmd-attrs response header returns sensitive information, like system username:...

GSA Bounty: The Federalsit session cookie (federalist.sid) is not properly invalidated - backdoor access to the account is possible

Description Hello. This issue is not very dangerous itself, but can be dangerous in combination of others like XSS, or malicious access to the user account. The user/attacker, who got once valid cookie federalist.sid from the account, can use it as backdoor for some time, because it is not actual...

GSA Bounty: Race condition on the Federalist API endpoints can lead to the Denial of Service attack

Description Hello. I discovered that the Federalist API doesn't have rate limiting in place, and executes any amount of request to the endpoint in parallel mode. The impact Since you are using the cloud, and i can't test the production environment, impact is theoretical in this case - it can be a...

X (Formerly Twitter): XXE on sms-be-vip.twitter.com in SXMP Processor

Hi team, What type of issue are you reporting? Does it align to a CWE or OWASP issue? I've identified an XXE vulnerability in the cloudhopper sxmp servlet on sms-be-vip.twitter.com which discloses local files to an external attacker and allows web requests to be sent. This aligns to...

Weblate: session id missing secure flag - Hosted Website

Hey folks, Looks like the sessionid cookie handles session id but misses Secure flag. Cookies without this flag will transmitted over unencrypted channel and let's the man in the middle attackers to grab the value. Attack Vector - Attacker passes a http:// hosted website link - Victim clicks the...

shopify-scripts: Controlled address leak due to type confusion - ASLR bypass

There are several different places in which arguments are treated as fixnums without a prior check for their type. Since mrbvalue is a union that holds all value types, it can cause a mixup between an object pointer and an integer value: cpp typedef struct mrbvalue union mrbfloat f; void p; mrbin...

LoadedCommerce7 - Systemic Query Factory Vulnerability

No description provided by source. Title: LoadedCommerce7 Systemic Query Factory Vulnerability Advisory: http://breaking.technology/advisories/CVE-2014-5140.txt Credits: Discovered by Breaking Technology Research Labs 2014-06-30 Reference: CVE-2014-5140 - Assigned 31 June 2014 Timeline: Vendor...

LoadedCommerce7 - Systemic Query Factory

Title: LoadedCommerce7 Systemic Query Factory Vulnerability Advisory: http://breaking.technology/advisories/CVE-2014-5140.txt Credits: Discovered by Breaking Technology Research Labs 2014-06-30 Reference: CVE-2014-5140 - Assigned 31 June 2014 Timeline: Vendor notified - 29 July 2014 Vendor...

Reflected XSS Vulnerability in the Feed Builder

---- Input in the Feed Builder is not properly handled. Insert: code "alert'Gotcha!' code as the feed name title and you get url like this:...

Reflected XSS Vulnerability in the Feed Builder

---- Input in the Feed Builder is not properly handled. Insert: code "alert'Gotcha!' code as the feed name title and you get url like this:...