EZsystems Remote code execution in file uploads
This Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if....
7.9AI Score
EZsystems Remote code execution in file uploads
This Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if....
7.9AI Score
eZ Publish Remote code execution in file uploads
This Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if....
7.9AI Score
eZ Publish Remote code execution in file uploads
This Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if....
7.9AI Score
In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file...
7.5AI Score
0.0004EPSS
@hoppscotch/cli is vulnerable to Sandbox Escape. The vulnerability is due to the insecure usage of the Node.js vm module, which allows untrusted JavaScript code to break out of the sandbox. It allows to gain access to references of objects created outside of the vm...
7.5AI Score
0.0004EPSS
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
Observations The Hoppscotch desktop app takes multiple precautions to be secure against arbitrary JavaScript and system command execution. It does not render user-controlled HTML or Markdown, uses Tauri instead of Electron, and sandboxes pre-request scripts with a simple yet secure implementation.....
7.3AI Score
0.0004EPSS
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
Observations The Hoppscotch desktop app takes multiple precautions to be secure against arbitrary JavaScript and system command execution. It does not render user-controlled HTML or Markdown, uses Tauri instead of Electron, and sandboxes pre-request scripts with a simple yet secure implementation.....
9.7AI Score
0.003EPSS
Cosign malicious artifacts can cause machine-wide DoS
Maliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted.....
4.9AI Score
0.0004EPSS
Cosign malicious artifacts can cause machine-wide DoS
Maliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted.....
7.3AI Score
0.0004EPSS
yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)
Summary The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in --exec,...
9.2AI Score
0.005EPSS
yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)
Summary The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in --exec,...
7.6AI Score
0.0004EPSS
Challenges Drive Career Growth: Meet Rudina Tafhasaj
Starting a career for the first time in a new country can be intimidating. For Rudina Tafhasaj, her path to Senior Application Engineer at Rapid7 was paved with both unique challenges, and incredible rewards. Growing up, Rudina was inspired to get into technology by her older brother. “He loved...
6.9AI Score
TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause a denial of service in boosted_trees_create_quantile_stream_resource by using negative arguments. The implementation does not validate that num_streams only contains non-negative...
6.5AI Score
0.0004EPSS
Tensorflow is an Open Source Machine Learning Framework. The implementation of GetInitOp is vulnerable to a crash caused by dereferencing a null pointer. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3,...
6.5AI Score
0.002EPSS
Rapid7 in Prague: Pete Rubio Shares Insights and Excitement for the New Office
_As we continue to grow our customer base here at Rapid7, we’re growing our offices as well – this time with a new location in the Czech Republic. With a successful history of building innovation hubs from Boston to Belfast, our teams can’t wait to bring new talent from Prague into the business....
6.9AI Score
Have you ever watched a film where a hacker would plug-in, seemingly ordinary, USB drive into a victim's computer and steal data from it? - A proper wet dream for some. Disclaimer: All content in this project is intended for security research purpose only. Introduction During the summer of...
7.8AI Score
nuxt-api-party is vulnerable to Cross-Site Request Forgery. The vulnerability exists due to a faulty regurlar expression which does not take white spaces into account validation within server.ts, allowing an attacker to execute requests bypasssing the whitelist, leading to unauthorized...
7.2AI Score
0.001EPSS
Summary nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF. This vulnerability is similar, and was...
6.9AI Score
0.001EPSS
Summary nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. A previous vulnerability allowed an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF. This vulnerability is similar, and was...
6.9AI Score
0.001EPSS
7.1AI Score
nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by...
7.5CVSS
7.3AI Score
0.001EPSS
7.1AI Score
Building our Team in Prague: Meet Martin Votruba
From developing driver-assistance software for a luxury car brand to jumping on board an NFT startup, Martin Votruba, Lead Software Engineer, is not one to shy away from a challenge. In September of 2023, joined Rapid7 as the first hire in its new Prague office. Martin is leveraging Rapid7’s...
7.2AI Score
The approve function can be frontrun
Lines of code https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/market/WildcatMarketToken.sol#L41-L57 Vulnerability details Impact Bob steals tokens from Alice. Proof of Concept In the file WildcatMarketToken.sol there is an approve function: ...
7.1AI Score
User can manipulate coinBalance to have better collateralization rate
Lines of code https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/proxies/actions/BasicActions.sol#L31-L47 https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/SAFEEngine.sol#L161-L162...
7.3AI Score
Signed data may be usable cross-chain
Lines of code https://github.com/code-423n4/2023-10-brahma/blob/a6424230052fc47c4215200c19a8eef9b07dfccc/contracts/src/libraries/TypeHashHelper.sol#L23-L31 Vulnerability details Impact The function validatePreTransactionOverridable(), which Validates a txn on guard before execution, for Brahma...
6.9AI Score
prague-guide.fr Cross Site Scripting vulnerability OBB-3740379
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.1AI Score
Lack of validation allows invalid ticks, impacting data integrity.
Lines of code https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L29-L31...
7AI Score
Users can deposit() even when Chainlink's price feed for CVX is stale
Lines of code Vulnerability details Bug Description In VotiumStrategy.sol, the price of vAfEth is determined by the price() function: VotiumStrategy.sol#L31-L33 function price() external view override returns (uint256) { return (cvxPerVotium() * ethPerCvx(false)) / 1e18; } As seen...
7AI Score
Intrinsic arbitrage from price discrepancy
Lines of code Vulnerability details Impact The up to 2 % price discrepancy from Chainlink creates an intrinsic arbitrage. Especially, it makes withdrawals worth more than deposits in the sense that one can immediately withdraw more than just deposited. Proof of Concept When depositing ETH into...
6.9AI Score
VotiumStrategy.price() does not validate Chainlink response
Lines of code Vulnerability details Impact AfEth.deposit() may mint an incorrect amount of afEth. VotiumStrategy.price() may return an incorrect price of vAfEth. AfEth.price() may return an incorrect price of afEth. Proof of Concept VotiumStrategy.price() function price() external view override...
7AI Score
Missing circuit breaker checks in ethPerCvx() for Chainlink's price feed
Lines of code Vulnerability details Bug Description The ethPerCvx() function relies on a Chainlink oracle to fetch the CVX / ETH price: VotiumStrategyCore.sol#L158-L169 try chainlinkCvxEthFeed.latestRoundData() returns ( uint80 roundId, int256 answer, ...
6.8AI Score
AfEth deposits could use price data from an invalid Chainlink response
Lines of code Vulnerability details Summary The current price implementation for the VotiumStrategy token uses a potentially invalid Chainlink response. This price is then used to calculate the price of AfEth and, subsequently, the amount of tokens to mint while depositing. Impact The price of...
6.9AI Score
Stale cvx price can be used while depositing
Lines of code https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategy.sol#L32 Vulnerability details Impact Stale cvx price can be used while depositing Proof of Concept When user deposits, then price of afEth token is calculated. It's needed to know how....
7AI Score
Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for...
7.5CVSS
7.7AI Score
0.001EPSS
Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version...
9.8CVSS
9.4AI Score
0.001EPSS
Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version...
9.8CVSS
7AI Score
0.001EPSS
@strapi/admin and @strapi/plugin-users-permissions vulnerable to Improper Rate Limiting. The vulnerability is due to bypassable rate limiting logic in the admin and user authentication endpoints which could theoretically allow an attacker to brute force valid username and password...
7.1AI Score
0.001EPSS
Strapi Improper Rate Limiting vulnerability
Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. 1. Manipulating request paths to upper or lower case. (Pattern 1) - In this case,...
6.6AI Score
0.001EPSS
Strapi Improper Rate Limiting vulnerability
Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. 1. Manipulating request paths to upper or lower case. (Pattern 1) - In this case,...
7AI Score
0.001EPSS
All the funds will be lost if the destination bridge is paused
Lines of code https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/bridge/DestinationBridge.sol#L31 Vulnerability details Impact Destination bridge is pausable, so if for a chain a destination bridge is paused, all the funds being bridged from...
6.8AI Score
prague-ticket-concert.com Cross Site Scripting vulnerability OBB-3652377
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.1AI Score
getPastCirculatingSupply() returns the ARB token supply instead of circulating votes supply
Lines of code Vulnerability details Bug Description In ArbitrumGovernorVotesQuorumFractionUpgradeable, the getPastCirculatingSupply() function is used when calculating quorum for proposals: ArbitrumGovernorVotesQuorumFractionUpgradeable.sol#L31-L35 /// @notice Get "circulating" votes supply;...
6.8AI Score
Lines of code https://github.com/ArbitrumFoundation/governance/blob/c18de53820c505fc459f766c1b224810eaeaabc5/src/security-council-mgmt/SecurityCouncilManager.sol#L420-L443 Vulnerability details Impact SecurityCouncilMemberSyncAction.perform is a crucial function that will be triggered by upgrade...
6.8AI Score
Anyone can call the perform function because there is no access control
Lines of code #L31-#L75 Vulnerability details Impact Anyone can call the perform function. It can lead to unauthorized changes in the security council. Proof of Concept There is no access control in the perform function and it is marked "external". function perform(address _securityCouncil,...
6.9AI Score
Lines of code Vulnerability details Impact The _securityCouncil update will be prevented by continuously calling the perform function. Since the function rely on the nonce value, this function can be continuously called and nonce value is updated. This would prevent the valid security council...
7.2AI Score
Anyone can change the members of Security Council
Lines of code Vulnerability details Impact Anyone can change the members of security council by calling the function perform in the contract SecurityCouncilMemberSyncAction.sol as the function is open to all. Proof of Concept uint256 updateNonce = getUpdateNonce(_securityCouncil); if...
6.8AI Score
Anyone can become owner of GnosisSafe(securityCouncil) contracts
Lines of code Vulnerability details Impact Member roles in SecurityCouncilManager contract can change owners of GnosisSafe(securityCouncil) contracts by schedulinig a perform call to ArbitrumTimelock contract. However the contract that handles updating owners(security council members) with perform....
6.7AI Score
Risk of Incorrect Collateral Pricing in Case of Aggregator Reaching minAnswer
Lines of code Vulnerability details Impact Chainlink aggregators have a built-in circuit breaker to prevent the price of an asset from deviating outside a predefined price range. This circuit breaker may cause the oracle to persistently return the minPrice instead of the actual asset price in the.....
6.9AI Score