Monero


20 total issues disclosed

$0 total paid publicly


Most disclosed (5 disclosures) — Business Logic Errors

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Hardware Wallets Do Not Check Unlock TIme Man-in-the-Middle thecharlatan Medium 2021-09-12
Unix time unlock_time values have dangerous validation rules enabling a number of exploits Business Logic Errors thecharlatan High 2021-09-12
Malicious get_random_rct_outs.bin rpc can cause a near-infinite loop Denial of Service ahook High 2018-09-29
Stack Overflow in JSON RPC Server Stack Overflow talko No rating 2018-09-29
Constant-time comparison is not always implemented; critical areas are vulnerable to key-timing attacks Missing Required Cryptographic Step anonimal Critical 2018-08-06
Trusted daemon check fails when proxied through torsocks or proxychains Privacy Violation equim Low 2018-08-02
Misreporting of received amount by show_transfers Business Logic Errors moneromooo High 2018-08-02
epee will accept an arbitrary amount of leading line-breaks in an http request Denial of Service ahook Low 2018-08-02
monerod can be disabled by a well-timed TCP reset packet Denial of Service ahook Medium 2018-08-02
A bug in the Monero wallet balance can enable theft from exchanges Business Logic Errors jagerman Critical 2018-08-02
Attcker can trick monero wallet into reporting it recived twice as much with alternative tx_keypubs Business Logic Errors phiren High 2018-07-27
forum.getmonero.org Shell upload Code Injection kaulse High 2018-07-27
Monero Website & Kovri on your policy are returning 404 not found. Business Logic Errors axolotl None 2018-04-25
TabNabbing issue (due to taget=_blank) None supplied ursa No rating 2018-04-25
Out-of-bounds read when importing corrupt blockchain with monero-blockchain-import Out-of-bounds Read ovrflow Low 2018-04-25
Buffer out of bound read in miniupnpc xml parser Buffer Over-read yukichen Low 2018-04-25
Monero GUI not linked with /DYNAMICBASE or hardening on windows, no ASLR None supplied flxflndy_ No rating 2018-03-18
Corrupt RPC responses from remote daemon nodes can lead to transaction tracing Privacy Violation monero-hax123 Medium 2018-03-16
remote access to localhost daemon, can issue jsonrpc commands Cross-Site Request Forgery (CSRF) bugbound Low 2018-02-22
Kovri: potential buffer over-read in garlic clove handling + I2NP message creation Information Disclosure aerodudrizzt High 2017-12-05