Immunefi Audit Competitions

Ctrlk

Powered by GitBook

On this page

Shardeum Ancillaries

Reports by Severity

Critical | Medium | Low | Insight

Critical

Boost _ Shardeum_ Ancillaries 34508 - [Websites and Applications - Critical] Malicious archiver can overwtite account data on any active archiver

Medium

Boost _ Shardeum_ Ancillaries 33571 - [Websites and Applications - Medium] Taking down the websocket server via malicious methods object override
Boost _ Shardeum_ Ancillaries 34298 - [Websites and Applications - Medium] archive-server can be killed by connected shardus-instance
Boost _ Shardeum_ Ancillaries 34392 - [Websites and Applications - Medium] JSON-RPC Complete Password Recovery Through Timing Attack

Low

Boost _ Shardeum_ Ancillaries 33040 - [Websites and Applications - Low] API CSRF protection bypass leading to arbitrary operator-cli command execution
Boost _ Shardeum_ Ancillaries 33692 - [Websites and Applications - Low] Reflected XSS in validator node endpoints leads to node shutdown via validator-gui
Boost _ Shardeum_ Ancillaries 34367 - [Websites and Applications - Low] CSRF vulnerability due to missing SameSiteStrict attribute resulting blackhat to perform authenticated action
Boost _ Shardeum_ Ancillaries 34473 - [Websites and Applications - Low] Insight XSS in json rpc server without CSP bypass
Boost _ Shardeum_ Ancillaries 34475 - [Websites and Applications - Low] CSRF in Json RPC Server allows requesting authenticated API endpoints

Insight

Boost _ Shardeum_ Ancillaries 33392 - [Websites and Applications - Insight] Validator GUI password bruteforcing is possible using the proxies
Boost _ Shardeum_ Ancillaries 33490 - [Websites and Applications - Insight] Abusing blacklist functionality to get victims IP to be banned
Boost _ Shardeum_ Ancillaries 33522 - [Websites and Applications - Insight] Exposed Redis Service Vulnerability on apishardeumorg
Boost _ Shardeum_ Ancillaries 33558 - [Websites and Applications - Insight] In some instances the socket can be made to hang
Boost _ Shardeum_ Ancillaries 33577 - [Websites and Applications - Insight] Taking down the HTTP server via jayson -day vulnerability
Boost _ Shardeum_ Ancillaries 33809 - [Websites and Applications - Insight] Blocking the user from interacting with GUI via rate-limiting abuse
Boost _ Shardeum_ Ancillaries 34474 - [Websites and Applications - Insight] SQL injection in json-rpc-server within thetxStatusSaver function via the IP argument leads to application shutdown
Boost _ Shardeum_ Ancillaries 34492 - [Websites and Applications - Insight] DoS via unbounded tx id list processing in api endpoints

Reports by Type

Websites and Applications

Websites and Applications

Boost _ Shardeum_ Ancillaries 33040 - [Websites and Applications - Low] API CSRF protection bypass leading to arbitrary operator-cli command execution
Boost _ Shardeum_ Ancillaries 33392 - [Websites and Applications - Insight] Validator GUI password bruteforcing is possible using the proxies
Boost _ Shardeum_ Ancillaries 33490 - [Websites and Applications - Insight] Abusing blacklist functionality to get victims IP to be banned
Boost _ Shardeum_ Ancillaries 33522 - [Websites and Applications - Insight] Exposed Redis Service Vulnerability on apishardeumorg
Boost _ Shardeum_ Ancillaries 33558 - [Websites and Applications - Insight] In some instances the socket can be made to hang
Boost _ Shardeum_ Ancillaries 33571 - [Websites and Applications - Medium] Taking down the websocket server via malicious methods object override
Boost _ Shardeum_ Ancillaries 33577 - [Websites and Applications - Insight] Taking down the HTTP server via jayson -day vulnerability
Boost _ Shardeum_ Ancillaries 33692 - [Websites and Applications - Low] Reflected XSS in validator node endpoints leads to node shutdown via validator-gui
Boost _ Shardeum_ Ancillaries 33809 - [Websites and Applications - Insight] Blocking the user from interacting with GUI via rate-limiting abuse
Boost _ Shardeum_ Ancillaries 34298 - [Websites and Applications - Medium] archive-server can be killed by connected shardus-instance
Boost _ Shardeum_ Ancillaries 34367 - [Websites and Applications - Low] CSRF vulnerability due to missing SameSiteStrict attribute resulting blackhat to perform authenticated action
Boost _ Shardeum_ Ancillaries 34392 - [Websites and Applications - Medium] JSON-RPC Complete Password Recovery Through Timing Attack
Boost _ Shardeum_ Ancillaries 34473 - [Websites and Applications - Low] Insight XSS in json rpc server without CSP bypass
Boost _ Shardeum_ Ancillaries 34474 - [Websites and Applications - Insight] SQL injection in json-rpc-server within thetxStatusSaver function via the IP argument leads to application shutdown
Boost _ Shardeum_ Ancillaries 34475 - [Websites and Applications - Low] CSRF in Json RPC Server allows requesting authenticated API endpoints
Boost _ Shardeum_ Ancillaries 34492 - [Websites and Applications - Insight] DoS via unbounded tx id list processing in api endpoints
Boost _ Shardeum_ Ancillaries 34508 - [Websites and Applications - Critical] Malicious archiver can overwtite account data on any active archiver

Previous29116 - [SC - Low] Using deposit results in more shares for the sa...NextBoost _ Shardeum_ Ancillaries 33040 - [Websites and Applications - Low] API CSRF protection bypass l

Last updated 1 year ago

Was this helpful?

Reports by Severity
Reports by Type

Was this helpful?