Active Boosts

Shardeum Ancillaries II

Reports by Severity

Critical

  • #35709 [W&A-Critical] Potential DoS of archiver-server during network restoration via get_account_data_archiver call

  • #36025 [W&A-Critical] A malicious validator can overwrite the account data of any archive server connected to it.

High

  • #35903 [W&A-High] SQL Injection Allows a Malicious Archiver to Overwrite Receipt/originalTxData Database on Any Active Archiver in the Network

  • #35447 [W&A-High] Zero Click Full Account Takeover

  • #35452 [W&A-High] Admin Panel Accessed

  • #35979 [W&A-High] Malicious Archiver/Malicious Validator can overwrite data on any active archiver and more

Medium

  • #35824 [W&A-Medium] `/set-config` replay attack is possible in production mode after archiver restart

Insight

  • #35157 [W&A-Insight] Unauthorized Access to Shardeum Config Store using default credentials

  • #35534 [W&A-Insight] json rpc server remote crash

  • #35446 [W&A-Insight] IDOR Able to change other user information

  • #35972 [W&A-Insight] Operator-GUI Weak JWT Token Generation Led To Generate same JWT Tokens Even if The User Has it's Unique "nodeId"

  • #36005 [W&A-Insight] Reflected URL Manipulation and Phishing Risk

  • #35996 [W&A-Insight] Malicious Explorer can cause Denial of Service in JSON RPC server and even crash it

  • #35537 [W&A-Insight] json rpc server websocket remote crash

  • #35351 [W&A-Insight] Password Length Bypass in Shardeum Authentication System

  • #35598 [W&A-Insight] Access to debug endpoints without any protection

Reports by Type

Websites & Applications

  • #35709 [W&A-Critical] Potential DoS of archiver-server during network restoration via get_account_data_archiver call

  • #35157 [W&A-Insight] Unauthorized Access to Shardeum Config Store using default credentials

  • #35534 [W&A-Insight] json rpc server remote crash

  • #35824 [W&A-Medium] `/set-config` replay attack is possible in production mode after archiver restart

  • #35903 [W&A-High] SQL Injection Allows a Malicious Archiver to Overwrite Receipt/originalTxData Database on Any Active Archiver in the Network

  • #35446 [W&A-Insight] IDOR Able to change other user information

  • #35447 [W&A-High] Zero Click Full Account Takeover

  • #35972 [W&A-Insight] Operator-GUI Weak JWT Token Generation Led To Generate same JWT Tokens Even if The User Has it's Unique "nodeId"

  • #35452 [W&A-High] Admin Panel Accessed

  • #36005 [W&A-Insight] Reflected URL Manipulation and Phishing Risk

  • #36025 [W&A-Critical] A malicious validator can overwrite the account data of any archive server connected to it.

  • #35979 [W&A-High] Malicious Archiver/Malicious Validator can overwrite data on any active archiver and more

  • #35996 [W&A-Insight] Malicious Explorer can cause Denial of Service in JSON RPC server and even crash it

  • #35537 [W&A-Insight] json rpc server websocket remote crash

  • #35351 [W&A-Insight] Password Length Bypass in Shardeum Authentication System

  • #35598 [W&A-Insight] Access to debug endpoints without any protection

Previous#35710 [BC-Insight] addressToPartition input is unsanitized, allowing to take whole network downNext#35598 [W&A-Insight] Access to debug endpoints without any protection