Common Weakness Enumeration

CWE-15

Allowed

External Control of System or Configuration Setting

Abstraction: Base · Status: Incomplete

One or more system settings or configuration elements can be externally controlled by a user.

137 vulnerabilities reference this CWE, most recent first.

CVE-2021-3707 (GCVE-0-2021-3707)

Vulnerability from cvelistv5 – Published: 2021-08-16 04:55 – Updated: 2024-08-03 17:01
VLAI
Summary
D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3708, to execute any OS commands on the vulnerable device.
Severity
No CVSS data available.
CWE
  • CWE-15 - External Control of System or Configuration Setting
Assigner
References
Impacted products
Vendor Product Version
D-Link DSL-2750U Affected: firmware vME1.16 or prior versions
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:07.681Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/HadiMed/firmware-analysis/blob/main/DSL-2750U%20%28firmware%20version%201.6%29/README.md"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10230"
          },
          {
            "name": "JVNVU#92088210: Multiple vulnerabilities in D-Link router DSL-2750U",
            "tags": [
              "third-party-advisory",
              "x_refsource_JVN",
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/vu/JVNVU92088210/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DSL-2750U",
          "vendor": "D-Link",
          "versions": [
            {
              "status": "affected",
              "version": "firmware vME1.16 or prior versions"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3708, to execute any OS commands on the vulnerable device."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "CWE-15: External Control of System or Configuration Setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-16T04:55:11.000Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/HadiMed/firmware-analysis/blob/main/DSL-2750U%20%28firmware%20version%201.6%29/README.md"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10230"
        },
        {
          "name": "JVNVU#92088210: Multiple vulnerabilities in D-Link router DSL-2750U",
          "tags": [
            "third-party-advisory",
            "x_refsource_JVN"
          ],
          "url": "https://jvn.jp/en/vu/JVNVU92088210/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2021-3707",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "DSL-2750U",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "firmware vME1.16 or prior versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "D-Link"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3708, to execute any OS commands on the vulnerable device."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-15: External Control of System or Configuration Setting"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/HadiMed/firmware-analysis/blob/main/DSL-2750U%20(firmware%20version%201.6)/README.md",
              "refsource": "MISC",
              "url": "https://github.com/HadiMed/firmware-analysis/blob/main/DSL-2750U%20(firmware%20version%201.6)/README.md"
            },
            {
              "name": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10230",
              "refsource": "CONFIRM",
              "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10230"
            },
            {
              "name": "JVNVU#92088210: Multiple vulnerabilities in D-Link router DSL-2750U",
              "refsource": "JVN",
              "url": "https://jvn.jp/en/vu/JVNVU92088210/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2021-3707",
    "datePublished": "2021-08-16T04:55:11.000Z",
    "dateReserved": "2021-08-15T00:00:00.000Z",
    "dateUpdated": "2024-08-03T17:01:07.681Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-25716 (GCVE-0-2019-25716)

Vulnerability from cvelistv5 – Published: 2026-06-01 21:15 – Updated: 2026-07-15 01:24
VLAI
Title
Dräger Infinity Delta/Kappa Patient Monitor DoS via Malformed Network Packet
Summary
Dräger Infinity Delta, Delta XL, and Kappa patient monitors contain a denial-of-service vulnerability that allows remote attackers to cause the monitor to reboot by sending a malformed network packet. Attackers can repeatedly send malformed network packets to disrupt patient monitoring until the device falls back to default configuration and loses network connectivity.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-15 - External Control of System or Configuration Setting
Assigner
References
Impacted products
Vendor Product Version
Dräger Infinity Delta Affected: Infinity Delta (custom)
Create a notification for this product.
Dräger Infinity Delta XL Affected: Infinity Delta XL (custom)
Create a notification for this product.
Dräger Infinity Kappa Affected: Infinity Kappa (custom)
Create a notification for this product.
Date Public
2019-01-22 00:00
Credits
Marc Ruef and Rocco Gagliardi, scip AG
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-25716",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-02T15:09:36.384627Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-02T15:45:56.330Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Infinity Delta",
          "vendor": "Dr\u00e4ger",
          "versions": [
            {
              "status": "affected",
              "version": "Infinity Delta",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Infinity Delta XL",
          "vendor": "Dr\u00e4ger",
          "versions": [
            {
              "status": "affected",
              "version": "Infinity Delta XL",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Infinity Kappa",
          "vendor": "Dr\u00e4ger",
          "versions": [
            {
              "status": "affected",
              "version": "Infinity Kappa",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:h:draeger:infinity_delta:infinity_delta:*:*:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:h:draeger:infinity_delta:infinity_delta_xl:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Marc Ruef and Rocco Gagliardi, scip AG"
        }
      ],
      "datePublic": "2019-01-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDr\u00e4ger Infinity Delta, Delta XL, and Kappa patient monitors contain a denial-of-service vulnerability that allows remote attackers to cause the monitor to reboot by sending a malformed network packet. Attackers can repeatedly send malformed network packets to disrupt patient monitoring until the device falls back to default configuration and loses network connectivity.\u003c/p\u003e"
            }
          ],
          "value": "Dr\u00e4ger Infinity Delta, Delta XL, and Kappa patient monitors contain a denial-of-service vulnerability that allows remote attackers to cause the monitor to reboot by sending a malformed network packet. Attackers can repeatedly send malformed network packets to disrupt patient monitoring until the device falls back to default configuration and loses network connectivity."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-15",
              "description": "CWE-15 External Control of System or Configuration Setting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T01:24:10.429Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://static.draeger.com/security/download/2019-01-22-draeger-infinity-delta-vf10-1-security-advisory.pdf"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/dr-ger-infinity-delta-kappa-patient-monitor-dos-via-malformed-network-packet"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Dr\u00e4ger Infinity Delta/Kappa Patient Monitor DoS via Malformed Network Packet",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2019-25716",
    "datePublished": "2026-06-01T21:15:07.156Z",
    "dateReserved": "2026-06-01T20:44:47.913Z",
    "dateUpdated": "2026-07-15T01:24:10.429Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-295C-QXG5-G88Q

Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-11-04 00:32
VLAI
Details

Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the open_port POST parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39800"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T15:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the `open_port` POST parameter.",
  "id": "GHSA-295c-qxg5-g88q",
  "modified": "2025-11-04T00:32:17Z",
  "published": "2025-01-14T15:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39800"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-2050"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2050"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FGQ-7J6H-9RM4

Vulnerability from github – Published: 2026-03-03 00:40 – Updated: 2026-03-30 13:19
VLAI
Summary
OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)
Details

Summary

system.run allowed SHELLOPTS + PS4 environment injection to trigger command substitution during bash -lc xtrace expansion before the allowlisted command body executed.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.21-2 (includes latest published npm version at triage time)
  • Patched (planned next release): 2026.2.22

Impact

In allowlist mode, an attacker who can invoke system.run with request-scoped env could execute additional shell commands outside the intended allowlisted command body.

Root Cause

Host exec env sanitization blocked startup-file vectors (BASH_ENV, ENV, etc.) but did not block SHELLOPTS/PS4. For shell wrappers (bash|sh|zsh ... -c/-lc), request env overrides were passed through and bash evaluated PS4 under xtrace, enabling command substitution.

Fix

  • Block SHELLOPTS and PS4 in host exec env sanitizers (Node + macOS).
  • For shell wrappers (bash|sh|zsh ... -c/-lc), reduce request-scoped env overrides to an explicit allowlist (TERM, LANG, LC_*, COLORTERM, NO_COLOR, FORCE_COLOR).
  • Add regression tests for TS and macOS paths.

Fix Commit(s)

  • e80c803fa887f9699ad87a9e906ab5c1ff85bd9a

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, advisory publication is a final state action only.

Severity Rationale

This advisory is rated medium because exploitation requires a caller that can already invoke system.run with request-scoped env.

Under OpenClaw's documented trust model (SECURITY.md), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope.

The bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions.

OpenClaw thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T00:40:56Z",
    "nvd_published_at": "2026-03-19T22:16:32Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`system.run` allowed `SHELLOPTS` + `PS4` environment injection to trigger command substitution during `bash -lc` xtrace expansion before the allowlisted command body executed.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.21-2` (includes latest published npm version at triage time)\n- Patched (planned next release): `2026.2.22`\n\n### Impact\nIn `allowlist` mode, an attacker who can invoke `system.run` with request-scoped `env` could execute additional shell commands outside the intended allowlisted command body.\n\n### Root Cause\nHost exec env sanitization blocked startup-file vectors (`BASH_ENV`, `ENV`, etc.) but did not block `SHELLOPTS`/`PS4`. For shell wrappers (`bash|sh|zsh ... -c/-lc`), request env overrides were passed through and `bash` evaluated `PS4` under `xtrace`, enabling command substitution.\n\n### Fix\n- Block `SHELLOPTS` and `PS4` in host exec env sanitizers (Node + macOS).\n- For shell wrappers (`bash|sh|zsh ... -c/-lc`), reduce request-scoped env overrides to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).\n- Add regression tests for TS and macOS paths.\n\n### Fix Commit(s)\n- `e80c803fa887f9699ad87a9e906ab5c1ff85bd9a`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm release `2026.2.22` is published, advisory publication is a final state action only.\n\n### Severity Rationale\nThis advisory is rated **medium** because exploitation requires a caller that can already invoke `system.run` with request-scoped `env`.\n\nUnder OpenClaw\u0027s documented trust model (`SECURITY.md`), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope.\n\nThe bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions.\n\nOpenClaw thanks @tdjackey for reporting.",
  "id": "GHSA-2fgq-7j6h-9rm4",
  "modified": "2026-03-30T13:19:17Z",
  "published": "2026-03-03T00:40:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2fgq-7j6h-9rm4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32003"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/e80c803fa887f9699ad87a9e906ab5c1ff85bd9a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shellopts-ps4-environment-injection-in-system-run"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)"
}

GHSA-2JW2-W8HC-JQCH

Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-01-14 18:31
VLAI
Details

An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T15:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.",
  "id": "GHSA-2jw2-w8hc-jqch",
  "modified": "2025-01-14T18:31:56Z",
  "published": "2025-01-14T15:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38666"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-2051"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2051"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2R9H-X757-8J9Q

Vulnerability from github – Published: 2024-11-14 15:32 – Updated: 2025-11-04 00:32
VLAI
Details

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15",
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-14T13:15:04Z",
    "severity": "HIGH"
  },
  "details": "Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH).  That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user.  Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.",
  "id": "GHSA-2r9h-x757-8j9q",
  "modified": "2025-11-04T00:32:03Z",
  "published": "2024-11-14T15:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10979"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fmora50591/postgresql-env-vuln/blob/main/README.md"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250110-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.postgresql.org/support/security/CVE-2024-10979"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2RFJ-V79G-2X66

Vulnerability from github – Published: 2025-08-22 03:30 – Updated: 2025-08-22 03:30
VLAI
Details

Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which could allow for a denial of service attack induced by improper handling of exceptional conditions

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T03:15:30Z",
    "severity": "MODERATE"
  },
  "details": "Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which\u00a0could allow for a denial of service attack induced by improper handling of exceptional conditions",
  "id": "GHSA-2rfj-v79g-2x66",
  "modified": "2025-08-22T03:30:25Z",
  "published": "2025-08-22T03:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41452"
    },
    {
      "type": "WEB",
      "url": "https://www.danfoss.com/en/service-and-support/downloads/dcs/adap-kool-software/ak-sm-800a/#tab-overview"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-32MX-3MQX-P47V

Vulnerability from github – Published: 2023-07-24 18:30 – Updated: 2024-04-04 06:20
VLAI
Details

A vulnerability exists by allowing low-privileged users to read and update the data in various directories used by the Zenon system. An attacker could exploit the vulnerability by using specially crafted programs to exploit the vulnerabilities by allowing them to run on the zenon installed hosts. This issue affects ABB Ability™ zenon: from 11 build through 11 build 106404.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-24T18:15:23Z",
    "severity": "HIGH"
  },
  "details": "\nA vulnerability exists by allowing low-privileged users to read and update the data in various directories used by the Zenon system. An attacker could exploit the vulnerability by using specially crafted\nprograms to exploit the vulnerabilities by allowing them to run on the zenon installed hosts.\nThis issue affects ABB Ability\u2122 zenon: from 11 build through 11 build 106404.\n\n",
  "id": "GHSA-32mx-3mqx-p47v",
  "modified": "2024-04-04T06:20:22Z",
  "published": "2023-07-24T18:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3321"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\u0026_ga=2.194142766.2067879716.1690216773-1911411808.1686627590"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-33PW-8V2F-85MJ

Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-01-14 18:31
VLAI
Details

An external config control vulnerability exists in the nas.cgi set_smb_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T15:15:18Z",
    "severity": "CRITICAL"
  },
  "details": "An external config control vulnerability exists in the nas.cgi set_smb_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.",
  "id": "GHSA-33pw-8v2f-85mj",
  "modified": "2025-01-14T18:31:56Z",
  "published": "2025-01-14T15:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39280"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-2055"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2055"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-35QH-7F6C-RJF7

Vulnerability from github – Published: 2024-02-15 06:31 – Updated: 2025-01-31 00:30
VLAI
Details

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15",
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-15T05:15:10Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.",
  "id": "GHSA-35qh-7f6c-rjf7",
  "modified": "2025-01-31T00:30:43Z",
  "published": "2024-02-15T06:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1488"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1750"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1751"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1780"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1801"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1802"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1804"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2587"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2696"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:0837"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1488"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264183"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Implementation Architecture and Design

Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.

Mitigation
Implementation Architecture and Design

In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.

CAPEC-13: Subverting Environment Variable Values

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.

CAPEC-146: XML Schema Poisoning

An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.

CAPEC-176: Configuration/Environment Manipulation

An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.

CAPEC-203: Manipulate Registry Information

An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.

CAPEC-270: Modification of Registry Run Keys

An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.

CAPEC-271: Schema Poisoning

An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.

CAPEC-579: Replace Winlogon Helper DLL

Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.

CAPEC-69: Target Programs with Elevated Privileges

This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.