# Shardeum Ancillaries

## Reports by Severity

[Critical](#critical) | [Medium](#medium) | [Low](#low) | [Insight](#insight)

<details>

<summary>Critical</summary>

* [Boost \_ Shardeum\_ Ancillaries 34508 - \[Websites and Applications - Critical\] Malicious archiver can overwtite account data on any active archiver](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34508-websites-and-applications-critical-malicious-archiver-can-overwt)

</details>

<details>

<summary>Medium</summary>

* [Boost \_ Shardeum\_ Ancillaries 33571 - \[Websites and Applications - Medium\] Taking down the websocket server via malicious methods object override](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33571-websites-and-applications-medium-taking-down-the-websocket-serve)
* [Boost \_ Shardeum\_ Ancillaries 34298 - \[Websites and Applications - Medium\] archive-server can be killed by connected shardus-instance](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34298-websites-and-applications-medium-archive-server-can-be-killed-by)
* [Boost \_ Shardeum\_ Ancillaries 34392 - \[Websites and Applications - Medium\] JSON-RPC Complete Password Recovery Through Timing Attack](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34392-websites-and-applications-medium-json-rpc-complete-password-reco)

</details>

<details>

<summary>Low</summary>

* [Boost \_ Shardeum\_ Ancillaries 33040 - \[Websites and Applications - Low\] API CSRF protection bypass leading to arbitrary operator-cli command execution](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33040-websites-and-applications-low-api-csrf-protection-bypass-leading)
* [Boost \_ Shardeum\_ Ancillaries 33692 - \[Websites and Applications - Low\] Reflected XSS in validator node endpoints leads to node shutdown via validator-gui](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33692-websites-and-applications-low-reflected-xss-in-validator-node-en)
* [Boost \_ Shardeum\_ Ancillaries 34367 - \[Websites and Applications - Low\] CSRF vulnerability due to missing SameSiteStrict attribute resulting blackhat to perform authenticated action](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34367-websites-and-applications-low-csrf-vulnerability-due-to-missing)
* [Boost \_ Shardeum\_ Ancillaries 34473 - \[Websites and Applications - Low\] Insight XSS in json rpc server without CSP bypass](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34473-websites-and-applications-low-insight-xss-in-json-rpc-server-wit)
* [Boost \_ Shardeum\_ Ancillaries 34475 - \[Websites and Applications - Low\] CSRF in Json RPC Server allows requesting authenticated API endpoints](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34475-websites-and-applications-low-csrf-in-json-rpc-server-allows-req)

</details>

<details>

<summary>Insight</summary>

* [Boost \_ Shardeum\_ Ancillaries 33392 - \[Websites and Applications - Insight\] Validator GUI password bruteforcing is possible using the proxies](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33392-websites-and-applications-insight-validator-gui-password-brutefo)
* [Boost \_ Shardeum\_ Ancillaries 33490 - \[Websites and Applications - Insight\] Abusing blacklist functionality to get victims IP to be banned](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33490-websites-and-applications-insight-abusing-blacklist-functionalit)
* [Boost \_ Shardeum\_ Ancillaries 33522 - \[Websites and Applications - Insight\] Exposed Redis Service Vulnerability on apishardeumorg](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33522-websites-and-applications-insight-exposed-redis-service-vulnerab)
* [Boost \_ Shardeum\_ Ancillaries 33558 - \[Websites and Applications - Insight\] In some instances the socket can be made to hang](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33558-websites-and-applications-insight-in-some-instances-the-socket-c)
* [Boost \_ Shardeum\_ Ancillaries 33577 - \[Websites and Applications - Insight\] Taking down the HTTP server via jayson -day vulnerability](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33577-websites-and-applications-insight-taking-down-the-http-server-vi)
* [Boost \_ Shardeum\_ Ancillaries 33809 - \[Websites and Applications - Insight\] Blocking the user from interacting with GUI via rate-limiting abuse](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33809-websites-and-applications-insight-blocking-the-user-from-interac)
* [Boost \_ Shardeum\_ Ancillaries 34474 - \[Websites and Applications - Insight\] SQL injection in json-rpc-server within thetxStatusSaver function via the IP argument leads to application shutdown](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34474-websites-and-applications-insight-sql-injection-in-json-rpc-serv)
* [Boost \_ Shardeum\_ Ancillaries 34492 - \[Websites and Applications - Insight\] DoS via unbounded tx id list processing in api endpoints](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34492-websites-and-applications-insight-dos-via-unbounded-tx-id-list-p)

</details>

## Reports by Type

[Websites and Applications](#websites-and-applications)

<details>

<summary>Websites and Applications</summary>

* [Boost \_ Shardeum\_ Ancillaries 33040 - \[Websites and Applications - Low\] API CSRF protection bypass leading to arbitrary operator-cli command execution](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33040-websites-and-applications-low-api-csrf-protection-bypass-leading)
* [Boost \_ Shardeum\_ Ancillaries 33392 - \[Websites and Applications - Insight\] Validator GUI password bruteforcing is possible using the proxies](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33392-websites-and-applications-insight-validator-gui-password-brutefo)
* [Boost \_ Shardeum\_ Ancillaries 33490 - \[Websites and Applications - Insight\] Abusing blacklist functionality to get victims IP to be banned](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33490-websites-and-applications-insight-abusing-blacklist-functionalit)
* [Boost \_ Shardeum\_ Ancillaries 33522 - \[Websites and Applications - Insight\] Exposed Redis Service Vulnerability on apishardeumorg](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33522-websites-and-applications-insight-exposed-redis-service-vulnerab)
* [Boost \_ Shardeum\_ Ancillaries 33558 - \[Websites and Applications - Insight\] In some instances the socket can be made to hang](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33558-websites-and-applications-insight-in-some-instances-the-socket-c)
* [Boost \_ Shardeum\_ Ancillaries 33571 - \[Websites and Applications - Medium\] Taking down the websocket server via malicious methods object override](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33571-websites-and-applications-medium-taking-down-the-websocket-serve)
* [Boost \_ Shardeum\_ Ancillaries 33577 - \[Websites and Applications - Insight\] Taking down the HTTP server via jayson -day vulnerability](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33577-websites-and-applications-insight-taking-down-the-http-server-vi)
* [Boost \_ Shardeum\_ Ancillaries 33692 - \[Websites and Applications - Low\] Reflected XSS in validator node endpoints leads to node shutdown via validator-gui](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33692-websites-and-applications-low-reflected-xss-in-validator-node-en)
* [Boost \_ Shardeum\_ Ancillaries 33809 - \[Websites and Applications - Insight\] Blocking the user from interacting with GUI via rate-limiting abuse](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33809-websites-and-applications-insight-blocking-the-user-from-interac)
* [Boost \_ Shardeum\_ Ancillaries 34298 - \[Websites and Applications - Medium\] archive-server can be killed by connected shardus-instance](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34298-websites-and-applications-medium-archive-server-can-be-killed-by)
* [Boost \_ Shardeum\_ Ancillaries 34367 - \[Websites and Applications - Low\] CSRF vulnerability due to missing SameSiteStrict attribute resulting blackhat to perform authenticated action](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34367-websites-and-applications-low-csrf-vulnerability-due-to-missing)
* [Boost \_ Shardeum\_ Ancillaries 34392 - \[Websites and Applications - Medium\] JSON-RPC Complete Password Recovery Through Timing Attack](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34392-websites-and-applications-medium-json-rpc-complete-password-reco)
* [Boost \_ Shardeum\_ Ancillaries 34473 - \[Websites and Applications - Low\] Insight XSS in json rpc server without CSP bypass](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34473-websites-and-applications-low-insight-xss-in-json-rpc-server-wit)
* [Boost \_ Shardeum\_ Ancillaries 34474 - \[Websites and Applications - Insight\] SQL injection in json-rpc-server within thetxStatusSaver function via the IP argument leads to application shutdown](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34474-websites-and-applications-insight-sql-injection-in-json-rpc-serv)
* [Boost \_ Shardeum\_ Ancillaries 34475 - \[Websites and Applications - Low\] CSRF in Json RPC Server allows requesting authenticated API endpoints](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34475-websites-and-applications-low-csrf-in-json-rpc-server-allows-req)
* [Boost \_ Shardeum\_ Ancillaries 34492 - \[Websites and Applications - Insight\] DoS via unbounded tx id list processing in api endpoints](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34492-websites-and-applications-insight-dos-via-unbounded-tx-id-list-p)
* [Boost \_ Shardeum\_ Ancillaries 34508 - \[Websites and Applications - Critical\] Malicious archiver can overwtite account data on any active archiver](https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34508-websites-and-applications-critical-malicious-archiver-can-overwt)

</details>