Critical | Medium | Low | Insight
Medium
- Boost _ Shardeum_ Ancillaries 33571 - [Websites and Applications - Medium] Taking down the websocket server via malicious methods object override
- Boost _ Shardeum_ Ancillaries 34298 - [Websites and Applications - Medium] archive-server can be killed by connected shardus-instance
- Boost _ Shardeum_ Ancillaries 34392 - [Websites and Applications - Medium] JSON-RPC Complete Password Recovery Through Timing Attack
Low
- Boost _ Shardeum_ Ancillaries 33040 - [Websites and Applications - Low] API CSRF protection bypass leading to arbitrary operator-cli command execution
- Boost _ Shardeum_ Ancillaries 33692 - [Websites and Applications - Low] Reflected XSS in validator node endpoints leads to node shutdown via validator-gui
- Boost _ Shardeum_ Ancillaries 34367 - [Websites and Applications - Low] CSRF vulnerability due to missing SameSiteStrict attribute resulting blackhat to perform authenticated action
- Boost _ Shardeum_ Ancillaries 34473 - [Websites and Applications - Low] Insight XSS in json rpc server without CSP bypass
- Boost _ Shardeum_ Ancillaries 34475 - [Websites and Applications - Low] CSRF in Json RPC Server allows requesting authenticated API endpoints
Insight
- Boost _ Shardeum_ Ancillaries 33392 - [Websites and Applications - Insight] Validator GUI password bruteforcing is possible using the proxies
- Boost _ Shardeum_ Ancillaries 33490 - [Websites and Applications - Insight] Abusing blacklist functionality to get victims IP to be banned
- Boost _ Shardeum_ Ancillaries 33522 - [Websites and Applications - Insight] Exposed Redis Service Vulnerability on apishardeumorg
- Boost _ Shardeum_ Ancillaries 33558 - [Websites and Applications - Insight] In some instances the socket can be made to hang
- Boost _ Shardeum_ Ancillaries 33577 - [Websites and Applications - Insight] Taking down the HTTP server via jayson -day vulnerability
- Boost _ Shardeum_ Ancillaries 33809 - [Websites and Applications - Insight] Blocking the user from interacting with GUI via rate-limiting abuse
- Boost _ Shardeum_ Ancillaries 34474 - [Websites and Applications - Insight] SQL injection in json-rpc-server within thetxStatusSaver function via the IP argument leads to application shutdown
- Boost _ Shardeum_ Ancillaries 34492 - [Websites and Applications - Insight] DoS via unbounded tx id list processing in api endpoints
Websites and Applications
- Boost _ Shardeum_ Ancillaries 33040 - [Websites and Applications - Low] API CSRF protection bypass leading to arbitrary operator-cli command execution
- Boost _ Shardeum_ Ancillaries 33392 - [Websites and Applications - Insight] Validator GUI password bruteforcing is possible using the proxies
- Boost _ Shardeum_ Ancillaries 33490 - [Websites and Applications - Insight] Abusing blacklist functionality to get victims IP to be banned
- Boost _ Shardeum_ Ancillaries 33522 - [Websites and Applications - Insight] Exposed Redis Service Vulnerability on apishardeumorg
- Boost _ Shardeum_ Ancillaries 33558 - [Websites and Applications - Insight] In some instances the socket can be made to hang
- Boost _ Shardeum_ Ancillaries 33571 - [Websites and Applications - Medium] Taking down the websocket server via malicious methods object override
- Boost _ Shardeum_ Ancillaries 33577 - [Websites and Applications - Insight] Taking down the HTTP server via jayson -day vulnerability
- Boost _ Shardeum_ Ancillaries 33692 - [Websites and Applications - Low] Reflected XSS in validator node endpoints leads to node shutdown via validator-gui
- Boost _ Shardeum_ Ancillaries 33809 - [Websites and Applications - Insight] Blocking the user from interacting with GUI via rate-limiting abuse
- Boost _ Shardeum_ Ancillaries 34298 - [Websites and Applications - Medium] archive-server can be killed by connected shardus-instance
- Boost _ Shardeum_ Ancillaries 34367 - [Websites and Applications - Low] CSRF vulnerability due to missing SameSiteStrict attribute resulting blackhat to perform authenticated action
- Boost _ Shardeum_ Ancillaries 34392 - [Websites and Applications - Medium] JSON-RPC Complete Password Recovery Through Timing Attack
- Boost _ Shardeum_ Ancillaries 34473 - [Websites and Applications - Low] Insight XSS in json rpc server without CSP bypass
- Boost _ Shardeum_ Ancillaries 34474 - [Websites and Applications - Insight] SQL injection in json-rpc-server within thetxStatusSaver function via the IP argument leads to application shutdown
- Boost _ Shardeum_ Ancillaries 34475 - [Websites and Applications - Low] CSRF in Json RPC Server allows requesting authenticated API endpoints
- Boost _ Shardeum_ Ancillaries 34492 - [Websites and Applications - Insight] DoS via unbounded tx id list processing in api endpoints
- Boost _ Shardeum_ Ancillaries 34508 - [Websites and Applications - Critical] Malicious archiver can overwtite account data on any active archiver