CWE-1188
AllowedInitialization of a Resource with an Insecure Default
Abstraction: Base · Status: Incomplete
The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
402 vulnerabilities reference this CWE, most recent first.
GHSA-76FV-M4GP-Q47J
Vulnerability from github – Published: 2025-03-25 06:30 – Updated: 2025-03-25 18:30Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
{
"affected": [],
"aliases": [
"CVE-2025-27809"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-25T06:15:41Z",
"severity": "MODERATE"
},
"details": "Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.",
"id": "GHSA-76fv-m4gp-q47j",
"modified": "2025-03-25T18:30:54Z",
"published": "2025-03-25T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27809"
},
{
"type": "WEB",
"url": "https://github.com/Mbed-TLS/mbedtls/issues/466"
},
{
"type": "WEB",
"url": "https://github.com/Mbed-TLS/mbedtls/releases"
},
{
"type": "WEB",
"url": "https://mastodon.social/@bagder/114219540623402700"
},
{
"type": "WEB",
"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-76H5-VM7X-9F4C
Vulnerability from github – Published: 2026-03-31 18:31 – Updated: 2026-03-31 18:31NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a resource with an insecure default. A successful exploit of this vulnerability might lead to information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID.
{
"affected": [],
"aliases": [
"CVE-2026-24148"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-31T17:16:29Z",
"severity": "HIGH"
},
"details": "NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a resource with an insecure default. A successful exploit of this vulnerability might lead to information disclosure of encrypted data, data tampering, and partial denial of service across devices sharing the same machine ID.",
"id": "GHSA-76h5-vm7x-9f4c",
"modified": "2026-03-31T18:31:31Z",
"published": "2026-03-31T18:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24148"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5797"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24148"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7754-V5C4-C9PG
Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in admin" is manually unchecked. This allows command execution via the Add New Package and Scheduled Deployments features.
{
"affected": [],
"aliases": [
"CVE-2020-14011"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-15T15:15:00Z",
"severity": "HIGH"
},
"details": "Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless \"Built-in admin\" is manually unchecked. This allows command execution via the Add New Package and Scheduled Deployments features.",
"id": "GHSA-7754-v5c4-c9pg",
"modified": "2022-05-24T17:20:30Z",
"published": "2022-05-24T17:20:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14011"
},
{
"type": "WEB",
"url": "https://pastebin.com/EUkMx94X"
},
{
"type": "WEB",
"url": "https://www.lansweeper.com/knowledgebase/restricting-access-to-the-web-console"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/158205/Lansweeper-7.2-Default-Account-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-778M-X6M8-V6H8
Vulnerability from github – Published: 2025-12-12 06:31 – Updated: 2025-12-12 06:31In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, "External page display restriction" is set to "Do not limit" in the initial configuration. With this configuration, the user may be redirected to an arbitrary website when accessing a specially crafted URL.
{
"affected": [],
"aliases": [
"CVE-2025-64781"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-12T05:16:11Z",
"severity": "MODERATE"
},
"details": "In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, \"External page display restriction\" is set to \"Do not limit\" in the initial configuration. With this configuration, the user may be redirected to an arbitrary website when accessing a specially crafted URL.",
"id": "GHSA-778m-x6m8-v6h8",
"modified": "2025-12-12T06:31:14Z",
"published": "2025-12-12T06:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64781"
},
{
"type": "WEB",
"url": "https://groupsession.jp/info/info-news/security20251208"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN19940619"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7844-V3MR-C966
Vulnerability from github – Published: 2022-05-24 17:04 – Updated: 2023-02-01 18:30A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with '-e rabbitmq_enable_manager=true' exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.
{
"affected": [],
"aliases": [
"CVE-2019-19340"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-19T21:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with \u0027-e rabbitmq_enable_manager=true\u0027 exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.",
"id": "GHSA-7844-v3mr-c966",
"modified": "2023-02-01T18:30:23Z",
"published": "2022-05-24T17:04:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19340"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19340"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7853-GQQM-VCWX
Vulnerability from github – Published: 2026-04-08 00:16 – Updated: 2026-04-08 00:16Affected
openclaw-claude-bridge v1.1.0
Issue
v1.1.0 spawns the Claude Code CLI subprocess with --allowed-tools "" and the release notes + README claim this "disables all CLI tools" for sandboxing. This claim is incorrect.
Per the Claude Code CLI documentation, --allowed-tools (alias --allowedTools) is an auto-approve allowlist of tools that execute without permission prompts — NOT a restriction on which tools are available. The correct flag to restrict the available tool set is --tools:
--tools <tools...>Specify the list of available tools from the built-in set. Use""to disable all tools,"default"to use all tools, or specify tool names (e.g."Bash,Edit,Read").
Impact
- All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess.
- Actual execution behavior in
--printnon-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang). - Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.
The README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in --print mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway's process context.
Patches
Fixed in v1.1.1 (commit 8a296f5) by switching to --tools "". The environment variable was also renamed from CLAUDE_ALLOWED_TOOLS to CLAUDE_TOOLS to match the flag.
Workarounds
Setting CLAUDE_ALLOWED_TOOLS on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit dist/cli-bridge.js to replace --allowed-tools with --tools.
References
- Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5
- v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1
- Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference
Credit
Found during a second-round code review.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw-claude-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39398"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-276"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T00:16:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Affected\n\nopenclaw-claude-bridge v1.1.0\n\n## Issue\n\nv1.1.0 spawns the Claude Code CLI subprocess with `--allowed-tools \"\"` and the release notes + README claim this **\"disables all CLI tools\"** for sandboxing. This claim is incorrect.\n\nPer the Claude Code CLI documentation, `--allowed-tools` (alias `--allowedTools`) is an **auto-approve allowlist** of tools that execute without permission prompts \u2014 NOT a restriction on which tools are available. The correct flag to restrict the available tool set is `--tools`:\n\n\u003e `--tools \u003ctools...\u003e` Specify the list of available tools from the built-in set. **Use `\"\"` to disable all tools**, `\"default\"` to use all tools, or specify tool names (e.g. `\"Bash,Edit,Read\"`).\n\n## Impact\n\n- All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess.\n- Actual execution behavior in `--print` non-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang).\n- Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.\n\nThe README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in `--print` mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway\u0027s process context.\n\n## Patches\n\nFixed in [v1.1.1](https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1) (commit 8a296f5) by switching to `--tools \"\"`. The environment variable was also renamed from `CLAUDE_ALLOWED_TOOLS` to `CLAUDE_TOOLS` to match the flag.\n\n## Workarounds\n\nSetting `CLAUDE_ALLOWED_TOOLS` on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit `dist/cli-bridge.js` to replace `--allowed-tools` with `--tools`.\n\n## References\n\n- Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5\n- v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1\n- Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference\n\n## Credit\n\nFound during a second-round code review.",
"id": "GHSA-7853-gqqm-vcwx",
"modified": "2026-04-08T00:16:09Z",
"published": "2026-04-08T00:16:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SeaL773/openclaw-claude-bridge/security/advisories/GHSA-7853-gqqm-vcwx"
},
{
"type": "WEB",
"url": "https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/SeaL773/openclaw-claude-bridge"
},
{
"type": "WEB",
"url": "https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "openclaw-claude-bridge: sandbox is not effective - `--allowed-tools \"\"` does not restrict available tools"
}
GHSA-78GV-H544-MG8G
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:23doorGets 7.0 has a default administrator credential vulnerability. A remote attacker can use this vulnerability to gain administrator privileges for the creation and modification of articles via an H0XZlT44FcN1j9LTdFc5XRXhlF30UaGe1g3cZY6i1K9 access_token in a uri=blog&action=index&controller=blog action to /api/index.php.
{
"affected": [],
"aliases": [
"CVE-2019-11618"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-30T20:29:00Z",
"severity": "CRITICAL"
},
"details": "doorGets 7.0 has a default administrator credential vulnerability. A remote attacker can use this vulnerability to gain administrator privileges for the creation and modification of articles via an H0XZlT44FcN1j9LTdFc5XRXhlF30UaGe1g3cZY6i1K9 access_token in a uri=blog\u0026action=index\u0026controller=blog action to /api/index.php.",
"id": "GHSA-78gv-h544-mg8g",
"modified": "2024-04-04T00:23:10Z",
"published": "2022-05-24T16:44:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11618"
},
{
"type": "WEB",
"url": "https://github.com/itodaro/doorGets_cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-794F-5GFQ-XMMQ
Vulnerability from github – Published: 2024-09-03 15:30 – Updated: 2025-11-04 18:31Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don't have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15.
{
"affected": [],
"aliases": [
"CVE-2024-8383"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-03T13:15:05Z",
"severity": "HIGH"
},
"details": "Firefox normally asks for confirmation before asking the operating system to find an application to handle a scheme that the browser does not support. It did not ask before doing so for the Usenet-related schemes news: and snews:. Since most operating systems don\u0027t have a trusted newsreader installed by default, an unscrupulous program that the user downloaded could register itself as a handler. The website that served the application download could then launch that application at will This vulnerability affects Firefox \u003c 130, Firefox ESR \u003c 128.2, and Firefox ESR \u003c 115.15.",
"id": "GHSA-794f-5gfq-xmmq",
"modified": "2025-11-04T18:31:18Z",
"published": "2024-09-03T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8383"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1908496"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00025.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-39"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-40"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-41"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-43"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-44"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-794X-8X6X-QPFC
Vulnerability from github – Published: 2025-07-04 21:30 – Updated: 2025-07-07 12:45Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.zipkin:zipkin-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53602"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-07T12:45:39Z",
"nvd_published_at": "2025-07-04T21:15:23Z",
"severity": "MODERATE"
},
"details": "Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927.",
"id": "GHSA-794x-8x6x-qpfc",
"modified": "2025-07-07T12:45:39Z",
"published": "2025-07-04T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53602"
},
{
"type": "WEB",
"url": "https://github.com/openzipkin/zipkin/pull/3804"
},
{
"type": "WEB",
"url": "https://github.com/openzipkin/zipkin/commit/3c7605dfdfab2dd341cf0ea121a56cefcd580d9e"
},
{
"type": "PACKAGE",
"url": "https://github.com/openzipkin/zipkin"
},
{
"type": "WEB",
"url": "https://zipkin.io"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint"
}
GHSA-796C-7JW3-FWPP
Vulnerability from github – Published: 2022-06-25 00:01 – Updated: 2022-06-25 00:01In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.
{
"affected": [],
"aliases": [
"CVE-2022-31806"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T08:15:00Z",
"severity": "CRITICAL"
},
"details": "In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.",
"id": "GHSA-796c-7jw3-fwpp",
"modified": "2022-06-25T00:01:01Z",
"published": "2022-06-25T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31806"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17140\u0026token=6aa2c5c4a8b83b8b09936fefed5b0b11f9d2cc6c\u0026download="
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.