BTV-EMUI5.0,Berlin-EMUI5.0,Berlin-L21,Berlin-L22,Berlin-L23,MHA-AL00A Security Vulnerabilities

AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field

A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image filename...

[WP-H0] Fake balances can be created for not-yet-existing ERC20 tokens, which allows attackers to set traps to steal funds from future users

Lines of code Vulnerability details function createVault( uint256 tokenIdOrAmount, address token, ... ) external returns (uint256 vaultId) { ... Vault memory vault = Vault({ ... }); // vault index should always be odd vaultIndex += 2; vaultId =...

If currentMonth in init is 0, then CPI update will revert, zero div

This is a manual upgrade of the sixth item in QA report #86 , per judge @jack-the-pug's assessment of it as a Medium risk issue. If currentMonth in init is 0, then CPI update will revert, zero div https://github.com/code-423n4/2022-03-volt/blob/main/contracts/oracle/ScalingPriceOracle.sol#L92...

Division by zero in isWithinDeviationThreshold

Judge @jack-the-pug is upgrading the following issue from a QA report (issue #30 ) to Medium risk: Division by zero in isWithinDeviationThreshold if a is zero. This only seems to be the case if the oracle would return 0 for CPI and in this case, something is wrong anyway. Should still handle this.....

Orderers Can Unauthorized Transfer User's Share In Single Step

Lines of code Vulnerability details Impact The transferFrom function of vToken.sol can be done without any user permissions or strict security checks, requires only the caller must has ORDERER_ROLE as the access control, exposing it to the centralize risk if an orderer is compromised or act...

Arbitrary File Upload

express-fileupload is vulnerable to arbitrary file upload. The vulnerability exists due to a lack of verification of the number of files being sent to the writeStream()...

vcon address change not persistent across protocol components

Lines of code https://github.com/code-423n4/2022-03-volt/blob/main/contracts/refs/CoreRef.sol#L22 https://github.com/code-423n4/2022-03-volt/blob/main/contracts/refs/CoreRef.sol#L199 Vulnerability details Impact vcon address is allowed to be updated by GOVERNOR in Core, however, this change will...

Inconsistent use of oracle

Lines of code Vulnerability details Impact Throughout the protocol, oracles are relied upon to keep Volt stable, calculate payouts to users, and judge whether actions are eligible to be carried out. On the NonCustodialPSM contract, oracle is updated with the updateOracle function. However, there...

[WP-H10] GenericSwapFacet.sol#swapTokensGeneric() duplicated .call{ value: msg.value } makes it possible for the attacker to steal native tokens (ETH) from the contract

Lines of code Vulnerability details function swapTokensGeneric(LiFiData memory _lifiData, LibSwap.SwapData[] calldata _swapData) public payable { uint256 receivingAssetIdBalance = LibAsset.getOwnBalance(_lifiData.receivingAssetId); // Swap _executeSwaps(_lifiData, _swapData); ...

GenericSwapFacet misuses _lifiData

Lines of code Vulnerability details Impact https://github.com/code-423n4/2022-03-lifinance/blob/main/docs/GenericSwapFacet.md stated that _lifiData is strictly for analytics purposes. But _lifiData is used to set receivingAsset. Proof of Concept In GenericSwapFacet.swapTokensGeneric,...

Any user can recover the funds left in the contract

Lines of code Vulnerability details Impact There is a WithdrawFacet such that only the owner/admin can recover the lost funds in the contract. However, any user can retrieve the funds by using the swapTokensGeneric function, which might be unexpected behavior. Proof of Concept Suppose that 1000...

[WP-H6] Swapper can be used to steal all the funds from the contract

Lines of code Vulnerability details function swapTokensGeneric(LiFiData memory _lifiData, LibSwap.SwapData[] calldata _swapData) public payable { uint256 receivingAssetIdBalance = LibAsset.getOwnBalance(_lifiData.receivingAssetId); // Swap _executeSwaps(_lifiData, _swapData); ...

Reliance on lifiData.receivingAssetId can cause loss of funds

Lines of code Vulnerability details Impact In the swapTokensGeneric() function, an arbitrary number of swaps can be performed from and to various tokens. However, the final balance that is sent to the user relies on _lifiData.receivingAssetId which has no use in the swapping functionality....

Lack of checks between _swapData and _lifiData could lead to loss of funds and reputation risk.

Lines of code LibSwap.swap swapTokensGeneric Vulnerability details Impact Users could input incongruent values for _lifiData and _swapData leading to a swap no being processed correctly and users not getting any of the expected _lifiData.receivingAssetId. It can also damage reputation because LiFi....

[WP-H6] Admin of the upgradeable proxy contract of Controller.sol can rug users

Lines of code Vulnerability details Use of Upgradeable Proxy Contract Structure allows the logic of the contract to be arbitrarily changed. This allows the proxy admin to perform malicious actions e.g., taking funds from users' wallets up to the allowance limit. This action can be performed by the....

How to pay professional maintainers

I work on the Go team at Google, but this is my personal opinion as someone who built a career on Open Source both at and outside big companies. In a previous essay, Professional maintainers: a wake-up call, I argued that we need Open Source maintainers to professionalize into a role that's...

Underflown variable in borrowGivenDebtETHCollateral function

Lines of code Vulnerability details Impact borrowGivenDebtETHCollateral function does never properly call ETH.transfer due to underflow. If borrowGivenDebtETHCollateral function is not deprecated, it would cause unexpected behaviors for users. Proof of Concept Here are codes which contain a...

dangerous receive function

Lines of code Vulnerability details the receive function doesn't check the msg.sender is supposed to pay, risking someone to accidentally sending ether and losing it. The text was updated successfully, but these errors were encountered: All...

Exchange does not split royalty revenue correctly

Lines of code Vulnerability details According to the README.md If royalty information was not defined when the NFT was originally deployed, it may be added using the Royalty Registry which will be respected by our market contract. ...

Bypassing Apple’s AirTag Security

A Berlin-based company has developed an AirTag clone that bypasses Apple's anti-stalker security systems. Source code for these AirTag clones is available online. So now we have several problems with the system. Apple's anti-stalker security only works with iPhones. (Apple wrote an Android app...

Arbitrary fees

Lines of code https://github.com/code-423n4/2022-02-redacted-cartel/blob/main/contracts/BribeVault.sol#L23 Vulnerability details Impact Function transferBribes has a parameter named fees. Essentially, it allows an admin to apply any arbitrary fees and send them to the feeRecipient. This makes no...

OS Command Injection in git-add-remote

git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name...

OS Command Injection in git-add-remote

git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name...

Cross-site Scripting (XSS)

ptrofimov/beanstalk_console is vulnerable to cross-site scripting. The vulnerability exists in include.php due to improper sanitizing of user inputs which allows an attacker to insert and execute arbitrary...

Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow (CVE-2016-9343)

An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By sending malformed common industrial protocol (CIP) packet, an attacker may be able to overflow a...

double transfer

Handle danb Vulnerability details on transferAndCall, the money is transferred twice. Recommended Mitigation Steps remove line 29. The text was updated successfully, but these errors were encountered: All...

Lack of access control in the parameterize function of proposal contracts

Handle shw Vulnerability details Impact Most of the proposal contracts have a parameterize function for setting the proposal parameters, and these functions are protected only by the notCurrent modifier. When the proposal is proposed through a lodgeProposal transaction, an attacker can front-run...

Tracking Secret German Organizations with Apple AirTags

A German activist is trying to track down a secret government intelligence agency. One of her research techniques is to mail Apple AirTags to see where they actually end up: Wittmann says that everyone she spoke to denied being part of this intelligence agency. But what she describes as a "good...

transferAndCall sends tokens twice

Handle cccz Vulnerability details Impact The Flan contract is inherited from the ERC677 contract. In the transferAndCall function of the ERC677 contract, the super.transfer and _transfer functions will be called, which will cause the token to be sent twice. function transferAndCall( ...

Ethercreative Logs 3.0.3 Path Traversal

...

Ethercreative Logs 3.0.3 Path Traversal Vulnerability

...

Admin can rug L2 Escrow tokens leading to reputation risk

Handle harleythedog Vulnerability details Impact The L1Escrow contract has the function approve that is callable by the admin to approve an arbitrary spender with an arbitrary amount (so they can steal all of the escrow's holdings if they want). Even if the admin is well intended, the contract can....

[WP-M0] MINTER_ROLE can be granted by the deployer of L2LivepeerToken and mint arbitrary amount of tokens

Handle WatchPug Vulnerability details function mint(address _to, uint256 _amount) external override onlyRole(MINTER_ROLE) { _mint(_to, _amount); emit Mint(_to, _amount); } Using the mint() function of L2LivepeerToken, an address with MINTER_ROLE can burn an arbitrary amount of...

[WP-M2] DEFAULT_ADMIN_ROLE can approve arbitrary address to spend any amount from the L1Escrow contract

Handle WatchPug Vulnerability details function approve( address _token, address _spender, uint256 _value ) public onlyRole(DEFAULT_ADMIN_ROLE) { ApproveLike(_token).approve(_spender, _value); emit Approve(_token, _spender, _value); } L1Escrow.sol#approve() allows an address...

in detekt/detekt

Description The read() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In...

Cross-site Scripting (XSS) - Stored in mautic/mautic

Description When installing Mautic (both via UI or CLI) the first and last name of the admin account are not sanitised before being stored in the database. This results in a possible stored XSS possibility, as those fields are displayed and re-used without any sanitisation. During install the raw.....

safeName() can revert causing DoS

Handle sirhashalot Vulnerability details Impact The safeName() function, found in the SafeMetadata.sol contract and called in 4 Timeswap Convenience contracts in the name() functions, can cause a revert. This could make the 4 contracts not compliant with the ERC20 standard for certain asset pairs,....