philipjonsen
commented
2 years ago Came across https://immunefi.com/bounty/makerdao/ yesterday.
Closed philipjonsen closed 2 years ago
philipjonsen
commented
2 years ago Came across https://immunefi.com/bounty/makerdao/ yesterday.
b-pmcg
commented
2 years ago Hi @philipjonsen please direct bug reports and bounties to https://immunefi.com/bounty/makerdao/ they will triage
philipjonsen
commented
2 years ago Alright for sure, but it takes 48 hours, only 5 bugs per 48 hours.
Den fre 11 feb. 2022 kl 16:11 skrev Phil Bain @.***>:
Hi @philipjonsen https://github.com/philipjonsen please direct bug reports and bounties to https://immunefi.com/bounty/makerdao/ they will triage
— Reply to this email directly, view it on GitHub https://github.com/makerdao/governance-portal-v2/issues/337#issuecomment-1036372923, or unsubscribe https://github.com/notifications/unsubscribe-auth/AU6KTMZCTQRI7P6KTUCGCJ3U2UYKDANCNFSM5ODRL76Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
philipjonsen
commented
2 years ago I just want to help a DAO project :)
Den fre 11 feb. 2022 kl 16:11 skrev Phil Bain @.***>:
Hi @philipjonsen https://github.com/philipjonsen please direct bug reports and bounties to https://immunefi.com/bounty/makerdao/ they will triage
— Reply to this email directly, view it on GitHub https://github.com/makerdao/governance-portal-v2/issues/337#issuecomment-1036372923, or unsubscribe https://github.com/notifications/unsubscribe-auth/AU6KTMZCTQRI7P6KTUCGCJ3U2UYKDANCNFSM5ODRL76Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
Describe the bug A clear and concise description of what the bug is.
To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen.
Screenshots If applicable, add screenshots to help explain your problem.
Additional context Add any other context about the problem here.
[superjson Remote Code Execution (RCE)]( VULNERABILITY CWE-94 CVE-2022-23631 CVSS 9 CRITICAL
SCORE 736 Introduced through [superjson@1.8.0] Fixed in superjson@1.8.1 Exploit maturity HIGH Show less detail Detailed paths Introduced through: governance-portal-v2@0.2.6 › superjson@1.8.0 Fix: Upgrade to superjson@1.8.1 Overview superjson is a Safely serialize JavaScript expressions to a superset of JSON, which includes Dates, BigInts, and more.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) as it allows to run arbitrary code on any server using superjson input, including a Blitz.js server, without prior authentication or knowledge. Attackers gain full control over the server so they could steal and manipulate data or attack further systems.
Philipjonsen@cryptosweden.eu for full report and fixes.