Malicious code in @jonusnattapong/claudecode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8a08b3e13079279fb9dce40859dd868b0953bec139996eb7ac915a7dc415b29c Package is a third-party reconstruction of Anthropic's Claude Code CLI that misrepresents itself as the official product. package.json describes itse...

StudioCMS has Privilege Escalation via Insecure API Token Generation

Summary The /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target us...

CVE-2026-30944 StudioCMS Affected by Privilege Escalation via Insecure API Token Generation

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to...

Linux Distros Unpatched Vulnerability : CVE-2020-13322

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy...

ASUS MyASUS 安全漏洞

ASUS MyASUS is an official ASUS PC application from Asus China Inc. A security vulnerability exists in ASUS MyASUS that stems from insecure storage of sensitive keys, which could lead to unauthorized participants obtaining a token...

CVE-2024-50573

In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services...

PT-2024-29887

Name of the Vulnerable Software and Affected Versions Biscuit versions prior to 4 Description The issue concerns the generation of third-party blocks in Biscuit, an authorization token with decentralized verification. A malicious user can forge a ThirdPartyBlock request, tricking the third-party...

PT-2024-12720 · Ibm · Ibm Watson Iot Platform

Name of the Vulnerable Software and Affected Versions: IBM Watson IoT Platform version 1.0 Description: An unauthorized attacker who has obtained an IBM Watson IoT Platform security authentication token can use it to impersonate an authorized platform user. Recommendations: For IBM Watson IoT...

Insecure and Inflexible Forwarder Approval Mechanism (Full Access Grant)

Lines of code Vulnerability details Impact The current implementation of the onlyApprovedForwarder modifier in the Ocean smart contract has several negative impacts: 1. Security Risk: Users are exposed to a significant security risk if their forwarder is compromised. An attacker can exploit full...

replay attack in StakedUSDe's redistributeLockedAmount function

Lines of code Vulnerability details Impact The vulnerability in the redistributeLockedAmount function of the StakedUSDe contract allows an admin user to redistribute tokens from a restricted address to another address. However, if a user let's call them User A is removed from the blacklist and...

Able to call withdrawContributions with any vaultId may lead to loss of funds

Lines of code Vulnerability details Impact The withdrawContributions function in Migration.sol takes any vault as input. As long as the vault is valid and has an inactive buyout, a user may call withdrawContributions even if the proposal they contributed to is LIVE. This may lead to users not bei...

attacker can burn anyones tokens and steal everyones money

Lines of code Vulnerability details Impact attacker can burn tokens and balance of contract is an amount of less or greater in sendtokenreciver function and if receiver is me then tokentransfer can be more than i lended or borrwing,withdrawing and gain me extra tokens. burn function is called...

Biscuit 数据伪造问题漏洞

Biscuit is delegated, decentralized, capability-based authorization tokens. A data forgery issue vulnerability exists in the v1 version of Biscuit that stems from allowing an attacker to create tokens with any access level...

Anybody can claim JLP tokens approved to WJLP

Handle kenzo Vulnerability details WJLP's wrap takes from and to as parameter, and doesn't check that msg.sender=from. This means that anybody can claim to himself tokens that a user approved for WJLP. Impact Loss of user funds. Proof of Concept The problem is in the wrap function. Code ref...

Insufficient check on updateVestedTokens function

Handle rfa Vulnerability details Impact This function can be used by the beneficiary to update their vested token, however the function is callable by anyone, there is no check if the msg.sender/caller is the correct beneficiary, the only check is , but this check is user controllable, therefore...

Incorrect address check in transferERC20 can allow rugging

Handle 0xRajeev Vulnerability details Impact SwappableYieldSource.sol has a transferERC20 function callable only by the owner or asset manager to transfer out ERC20 tokens other than the yield source's tokens held by this contract. This is similar to the functions in ATokenYieldSource and...

Cisco Telepresence CE Software Unauthorized Token Generation (cisco-sa-tp-uathracc-jWNESUfM)

According to its self-reported version, Cisco TelePresence CE Software is affected by a vulnerability. A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device...

CVE-2020-26068 Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability

A vulnerability in the xAPI service of Cisco Telepresence CE Software and Cisco RoomOS Software could allow an authenticated, remote attacker to generate an access token for an affected device. The vulnerability is due to insufficient access authorization. An attacker could exploit this...

Longbrothers Digital OKLOK Information Disclosure Vulnerability (CNVD-2021-25679)

Longbrothers Digital Fingerprint Bluetooth Padlock FB50 and OKLOK are both products of Longbrothers Digital China.Fingerprint Bluetooth Padlock FB50 is a fingerprint round The Fingerprint Bluetooth Padlock FB50 is a fingerprint round padlock that supports fingerprint unlocking, remote unlocking...

CVE-2018-13126

CVE-2018-13126 concerns the MoxyOnePresale Ethereum smart contract. The connected documents describe an integer overflow in the contract’s mint function, which would allow the contract owner to arbitrarily retrieve minted tokens. The material does not provide version numbers, precise affected fil...