AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field
A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image filename...
6.1CVSS
6.2AI Score
0.002EPSS
Lines of code Vulnerability details function createVault( uint256 tokenIdOrAmount, address token, ... ) external returns (uint256 vaultId) { ... Vault memory vault = Vault({ ... }); // vault index should always be odd vaultIndex += 2; vaultId =...
6.7AI Score
If currentMonth in init is 0, then CPI update will revert, zero div
This is a manual upgrade of the sixth item in QA report #86 , per judge @jack-the-pug's assessment of it as a Medium risk issue. If currentMonth in init is 0, then CPI update will revert, zero div https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L92...
6.9AI Score
Division by zero in isWithinDeviationThreshold
Judge @jack-the-pug is upgrading the following issue from a QA report (issue #30 ) to Medium risk: Division by zero in isWithinDeviationThreshold if a is zero. This only seems to be the case if the oracle would return 0 for CPI and in this case, something is wrong anyway. Should still handle this.....
6.8AI Score
Orderers Can Unauthorized Transfer User's Share In Single Step
Lines of code Vulnerability details Impact The transferFrom function of vToken.sol can be done without any user permissions or strict security checks, requires only the caller must has ORDERER_ROLE as the access control, exposing it to the centralize risk if an orderer is compromised or act...
6.8AI Score
express-fileupload is vulnerable to arbitrary file upload. The vulnerability exists due to a lack of verification of the number of files being sent to the writeStream()...
7.5CVSS
2.5AI Score
0.001EPSS
vcon address change not persistent across protocol components
Lines of code https://github.com/code-423n4/2022-03-volt/blob/main/contracts/refs/CoreRef.sol#L22 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/refs/CoreRef.sol#L199 Vulnerability details Impact vcon address is allowed to be updated by GOVERNOR in Core, however, this change will...
6.9AI Score
Lines of code Vulnerability details Impact Throughout the protocol, oracles are relied upon to keep Volt stable, calculate payouts to users, and judge whether actions are eligible to be carried out. On the NonCustodialPSM contract, oracle is updated with the updateOracle function. However, there...
6.9AI Score
Lines of code Vulnerability details function swapTokensGeneric(LiFiData memory _lifiData, LibSwap.SwapData[] calldata _swapData) public payable { uint256 receivingAssetIdBalance = LibAsset.getOwnBalance(_lifiData.receivingAssetId); // Swap _executeSwaps(_lifiData, _swapData); ...
6.7AI Score
GenericSwapFacet misuses _lifiData
Lines of code Vulnerability details Impact https://github.com/code-423n4/2022-03-lifinance/blob/main/docs/GenericSwapFacet.md stated that _lifiData is strictly for analytics purposes. But _lifiData is used to set receivingAsset. Proof of Concept In GenericSwapFacet.swapTokensGeneric,...
7AI Score
Any user can recover the funds left in the contract
Lines of code Vulnerability details Impact There is a WithdrawFacet such that only the owner/admin can recover the lost funds in the contract. However, any user can retrieve the funds by using the swapTokensGeneric function, which might be unexpected behavior. Proof of Concept Suppose that 1000...
6.7AI Score
[WP-H6] Swapper can be used to steal all the funds from the contract
Lines of code Vulnerability details function swapTokensGeneric(LiFiData memory _lifiData, LibSwap.SwapData[] calldata _swapData) public payable { uint256 receivingAssetIdBalance = LibAsset.getOwnBalance(_lifiData.receivingAssetId); // Swap _executeSwaps(_lifiData, _swapData); ...
6.8AI Score
Reliance on lifiData.receivingAssetId can cause loss of funds
Lines of code Vulnerability details Impact In the swapTokensGeneric() function, an arbitrary number of swaps can be performed from and to various tokens. However, the final balance that is sent to the user relies on _lifiData.receivingAssetId which has no use in the swapping functionality....
6.8AI Score
Lack of checks between _swapData and _lifiData could lead to loss of funds and reputation risk.
Lines of code LibSwap.swap swapTokensGeneric Vulnerability details Impact Users could input incongruent values for _lifiData and _swapData leading to a swap no being processed correctly and users not getting any of the expected _lifiData.receivingAssetId. It can also damage reputation because LiFi....
6.8AI Score
[WP-H6] Admin of the upgradeable proxy contract of Controller.sol can rug users
Lines of code Vulnerability details Use of Upgradeable Proxy Contract Structure allows the logic of the contract to be arbitrarily changed. This allows the proxy admin to perform malicious actions e.g., taking funds from users' wallets up to the allowance limit. This action can be performed by the....
6.9AI Score
How to pay professional maintainers
I work on the Go team at Google, but this is my personal opinion as someone who built a career on Open Source both at and outside big companies. In a previous essay, Professional maintainers: a wake-up call, I argued that we need Open Source maintainers to professionalize into a role that's...
7AI Score
Underflown variable in borrowGivenDebtETHCollateral function
Lines of code Vulnerability details Impact borrowGivenDebtETHCollateral function does never properly call ETH.transfer due to underflow. If borrowGivenDebtETHCollateral function is not deprecated, it would cause unexpected behaviors for users. Proof of Concept Here are codes which contain a...
7AI Score
Lines of code Vulnerability details the receive function doesn't check the msg.sender is supposed to pay, risking someone to accidentally sending ether and losing it. The text was updated successfully, but these errors were encountered: All...
6.9AI Score
Exchange does not split royalty revenue correctly
Lines of code Vulnerability details According to the README.md If royalty information was not defined when the NFT was originally deployed, it may be added using the Royalty Registry which will be respected by our market contract. ...
6.8AI Score
Bypassing Apple’s AirTag Security
A Berlin-based company has developed an AirTag clone that bypasses Apple's anti-stalker security systems. Source code for these AirTag clones is available online. So now we have several problems with the system. Apple's anti-stalker security only works with iPhones. (Apple wrote an Android app...
1.3AI Score
Lines of code https://github.com/code-423n4/2022-02-redacted-cartel/blob/main/contracts/BribeVault.sol#L23 Vulnerability details Impact Function transferBribes has a parameter named fees. Essentially, it allows an admin to apply any arbitrary fees and send them to the feeRecipient. This makes no...
6.9AI Score
OS Command Injection in git-add-remote
git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name...
9.8CVSS
9.3AI Score
0.012EPSS
OS Command Injection in git-add-remote
git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name...
9.8CVSS
5.6AI Score
0.012EPSS
ptrofimov/beanstalk_console is vulnerable to cross-site scripting. The vulnerability exists in include.php due to improper sanitizing of user inputs which allows an attacker to insert and execute arbitrary...
6.1CVSS
3AI Score
0.001EPSS
Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow (CVE-2016-9343)
An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By sending malformed common industrial protocol (CIP) packet, an attacker may be able to overflow a...
10CVSS
9.7AI Score
0.002EPSS
Handle danb Vulnerability details on transferAndCall, the money is transferred twice. Recommended Mitigation Steps remove line 29. The text was updated successfully, but these errors were encountered: All...
7.1AI Score
Lack of access control in the parameterize function of proposal contracts
Handle shw Vulnerability details Impact Most of the proposal contracts have a parameterize function for setting the proposal parameters, and these functions are protected only by the notCurrent modifier. When the proposal is proposed through a lodgeProposal transaction, an attacker can front-run...
6.8AI Score
Tracking Secret German Organizations with Apple AirTags
A German activist is trying to track down a secret government intelligence agency. One of her research techniques is to mail Apple AirTags to see where they actually end up: Wittmann says that everyone she spoke to denied being part of this intelligence agency. But what she describes as a "good...
1.8AI Score
transferAndCall sends tokens twice
Handle cccz Vulnerability details Impact The Flan contract is inherited from the ERC677 contract. In the transferAndCall function of the ERC677 contract, the super.transfer and _transfer functions will be called, which will cause the token to be sent twice. function transferAndCall( ...
6.9AI Score
AI Score
0.013EPSS
4.9CVSS
0.1AI Score
0.013EPSS
Admin can rug L2 Escrow tokens leading to reputation risk
Handle harleythedog Vulnerability details Impact The L1Escrow contract has the function approve that is callable by the admin to approve an arbitrary spender with an arbitrary amount (so they can steal all of the escrow's holdings if they want). Even if the admin is well intended, the contract can....
7AI Score
Handle WatchPug Vulnerability details function mint(address _to, uint256 _amount) external override onlyRole(MINTER_ROLE) { _mint(_to, _amount); emit Mint(_to, _amount); } Using the mint() function of L2LivepeerToken, an address with MINTER_ROLE can burn an arbitrary amount of...
7AI Score
Handle WatchPug Vulnerability details function approve( address _token, address _spender, uint256 _value ) public onlyRole(DEFAULT_ADMIN_ROLE) { ApproveLike(_token).approve(_spender, _value); emit Approve(_token, _spender, _value); } L1Escrow.sol#approve() allows an address...
7AI Score
Description The read() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In...
9.8CVSS
1.4AI Score
0.002EPSS
Cross-site Scripting (XSS) - Stored in mautic/mautic
Description When installing Mautic (both via UI or CLI) the first and last name of the admin account are not sanitised before being stored in the database. This results in a possible stored XSS possibility, as those fields are displayed and re-used without any sanitisation. During install the raw.....
0.7AI Score
safeName() can revert causing DoS
Handle sirhashalot Vulnerability details Impact The safeName() function, found in the SafeMetadata.sol contract and called in 4 Timeswap Convenience contracts in the name() functions, can cause a revert. This could make the 4 contracts not compliant with the ERC20 standard for certain asset pairs,....
6.9AI Score