Monthly Archive: July 2018

An issue was discovered in a smart contract implementation for EUC (EUC), an Ethereum token. The contract has an integer overflow. If the owner sets the value of buyPrice to a large number in...

An issue was discovered in a smart contract implementation for SingaporeCoinOrigin (SCO), an Ethereum token. The contract has an integer overflow. If the owner sets the value of sellPrice to a large number in...

An issue was discovered in a smart contract implementation for UserWallet 0x0a7bca9FB7AfF26c6ED8029BB6f0F5D291587c42, an Ethereum token. First, suppose that the owner adds the evil contract address to his sweepers. The evil contract looks like this:...

An issue was discovered in a smart contract implementation for MKCB, an Ethereum token. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will...

libsixel 1.8.1 has a memory leak in sixel_allocator_new in allocator.c. Date published : 2018-07-15 https://github.com/saitoha/libsixel/issues/67#issuecomment-404989926

libsixel 1.8.1 has a memory leak in sixel_decoder_decode in decoder.c, image_buffer_resize in fromsixel.c, and sixel_decode_raw in fromsixel.c. Date published : 2018-07-15 https://github.com/saitoha/libsixel/issues/67#issue-341198610

An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability that can add a user account via admin.php?m=Admin&c=member&a=add. Date published : 2018-07-15 https://github.com/martinzhou2015/SRCMS/issues/20

An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability that can add an admin account via admin.php?m=Admin&c=manager&a=add. Date published : 2018-07-15 https://github.com/martinzhou2015/SRCMS/issues/20

The content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix...

XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. Date published : 2018-07-15 https://github.com/PHPOffice/Common/pull/23 https://github.com/PHPOffice/Common/releases/tag/0.2.9

The uc-http service 1.0.0 on VelotiSmart WiFi B-380 camera devices allows Directory Traversal, as demonstrated by /../../etc/passwd on TCP port 80. Date published : 2018-07-15 https://www.exploit-db.com/exploits/45030/ https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac

The increaseApproval function of a smart contract implementation for Tracto (TRCT), an Ethereum ERC20 token, has an integer overflow. Date published : 2018-07-15 https://github.com/tracto2/Tracto-ERC20/issues/1

OS command injection in the AP mode settings feature in /cgi-bin/luci /api/misystem/set_router_wifiap on Xiaomi R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data. Date published : 2018-07-14 http://www.cnvd.org.cn/flaw/show/CNVD-2018-04520...

ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skin name to access files outside of the intended skins directories. Date published : 2018-07-14 https://www.debian.org/security/2018/dsa-4252 https://security.gentoo.org/glsa/201807-03