CWE-453
AllowedInsecure Default Variable Initialization
Abstraction: Variant · Status: Draft
The product, by default, initializes an internal variable with an insecure or less secure value than is possible.
34 vulnerabilities reference this CWE, most recent first.
CVE-2022-47195 (GCVE-0-2022-47195)
Vulnerability from cvelistv5 – Published: 2023-01-19 17:02 – Updated: 2025-11-04 19:14- CWE-453 - Insecure Default Variable Initialization
| Vendor | Product | Version | |
|---|---|---|---|
| Ghost Foundation | Ghost |
Affected:
5.9.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:14:27.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686",
"tags": [
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
},
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-47195",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T19:11:54.067519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T12:59:44.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ghost",
"vendor": "Ghost Foundation",
"versions": [
{
"status": "affected",
"version": "5.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-453",
"description": "CWE-453: Insecure Default Variable Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-19T17:02:15.655Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2022-47195",
"datePublished": "2023-01-19T17:02:15.655Z",
"dateReserved": "2022-12-12T19:47:21.504Z",
"dateUpdated": "2025-11-04T19:14:27.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-47194 (GCVE-0-2022-47194)
Vulnerability from cvelistv5 – Published: 2023-01-19 17:02 – Updated: 2025-11-04 19:14- CWE-453 - Insecure Default Variable Initialization
| Vendor | Product | Version | |
|---|---|---|---|
| Ghost Foundation | Ghost |
Affected:
5.9.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:14:26.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686",
"tags": [
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
},
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-47194",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T19:12:24.620995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T13:00:05.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ghost",
"vendor": "Ghost Foundation",
"versions": [
{
"status": "affected",
"version": "5.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-453",
"description": "CWE-453: Insecure Default Variable Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-19T17:02:10.446Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2022-47194",
"datePublished": "2023-01-19T17:02:10.446Z",
"dateReserved": "2022-12-12T19:47:21.503Z",
"dateUpdated": "2025-11-04T19:14:26.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-3262 (GCVE-0-2022-3262)
Vulnerability from cvelistv5 – Published: 2022-12-08 00:00 – Updated: 2025-04-23 15:19{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:05.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128858"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3262",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:17:59.968788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188 Initialization of a Resource with an Insecure Default",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T15:19:14.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openshift",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Openshift. A pod with a DNSPolicy of \"ClusterFirst\" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-453",
"description": "CWE-453",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-08T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128858"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-3262",
"datePublished": "2022-12-08T00:00:00.000Z",
"dateReserved": "2022-09-21T00:00:00.000Z",
"dateUpdated": "2025-04-23T15:19:14.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27426 (GCVE-0-2021-27426)
Vulnerability from cvelistv5 – Published: 2022-03-23 19:46 – Updated: 2025-04-16 16:40- CWE-453 - Insecure Default Variable Initialization
| URL | Tags |
|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-2… | x_refsource_CONFIRM |
| https://www.gegridsolutions.com/Passport/Login.aspx | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:48:17.118Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gegridsolutions.com/Passport/Login.aspx"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-27426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:57:43.287920Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:40:28.743Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "UR family",
"vendor": "GE",
"versions": [
{
"lessThan": "8.1x",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "SCADA-X, DOE\u2019s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, Verve Industrial, and VuMetric reported these vulnerabilities to GE."
}
],
"descriptions": [
{
"lang": "en",
"value": "GE UR IED firmware versions prior to version 8.1x with \u201cBasic\u201d security variant does not allow the disabling of the \u201cFactory Mode,\u201d which is used for servicing the IED by a \u201cFactory\u201d user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-453",
"description": "CWE-453 Insecure Default Variable Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-23T19:46:27.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gegridsolutions.com/Passport/Login.aspx"
}
],
"solutions": [
{
"lang": "en",
"value": "GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "GE UR family insecure default variable initialization",
"workarounds": [
{
"lang": "en",
"value": "GE recommends protecting UR IED by using network defense-in-depth practices. This includes, but is not limited to, placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place. \n\nGE recommends users refer to the UR Deployment guide for secure configuration of UR IED and system."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2021-27426",
"STATE": "PUBLIC",
"TITLE": "GE UR family insecure default variable initialization"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "UR family",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.1x"
}
]
}
}
]
},
"vendor_name": "GE"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "SCADA-X, DOE\u2019s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, Verve Industrial, and VuMetric reported these vulnerabilities to GE."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GE UR IED firmware versions prior to version 8.1x with \u201cBasic\u201d security variant does not allow the disabling of the \u201cFactory Mode,\u201d which is used for servicing the IED by a \u201cFactory\u201d user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-453 Insecure Default Variable Initialization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02"
},
{
"name": "https://www.gegridsolutions.com/Passport/Login.aspx",
"refsource": "CONFIRM",
"url": "https://www.gegridsolutions.com/Passport/Login.aspx"
}
]
},
"solution": [
{
"lang": "en",
"value": "GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "GE recommends protecting UR IED by using network defense-in-depth practices. This includes, but is not limited to, placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place. \n\nGE recommends users refer to the UR Deployment guide for secure configuration of UR IED and system."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-27426",
"datePublished": "2022-03-23T19:46:27.000Z",
"dateReserved": "2021-02-19T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:40:28.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-3X4G-4374-V83H
Vulnerability from github – Published: 2024-09-13 21:31 – Updated: 2024-09-16 18:31there is a possible arbitrary read due to an insecure default value. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-44096"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-453"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-13T21:15:10Z",
"severity": "MODERATE"
},
"details": "there is a possible arbitrary read due to an insecure default value. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-3x4g-4374-v83h",
"modified": "2024-09-16T18:31:21Z",
"published": "2024-09-13T21:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44096"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2024-09-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4JMM-C6JW-G796
Vulnerability from github – Published: 2024-07-31 21:32 – Updated: 2024-09-06 21:37filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mickael-kerjean/filestash"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-41255"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-453"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-02T16:27:35Z",
"nvd_published_at": "2024-07-31T21:15:18Z",
"severity": "HIGH"
},
"details": "filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.",
"id": "GHSA-4jmm-c6jw-g796",
"modified": "2024-09-06T21:37:51Z",
"published": "2024-07-31T21:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41255"
},
{
"type": "WEB",
"url": "https://github.com/mickael-kerjean/filestash/issues/710"
},
{
"type": "WEB",
"url": "https://gist.github.com/nyxfqq/c367f2ca9448810924dcf0f1af30b441"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-4jmm-c6jw-g796"
},
{
"type": "PACKAGE",
"url": "https://github.com/mickael-kerjean/filestash"
},
{
"type": "WEB",
"url": "https://github.com/mickael-kerjean/filestash/blob/master/server/plugin/plg_backend_ftp/index.go#L108"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3033"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Filestash configured to skip TLS certificate verification when using the FTPS protocol"
}
GHSA-5PQW-JJJW-GF67
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2024-12-12 03:33Windows Remote Desktop Services Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-49120"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-453"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:04:38Z",
"severity": "HIGH"
},
"details": "Windows Remote Desktop Services Remote Code Execution Vulnerability",
"id": "GHSA-5pqw-jjjw-gf67",
"modified": "2024-12-12T03:33:05Z",
"published": "2024-12-12T03:33:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49120"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5R5J-MWFC-HGXH
Vulnerability from github – Published: 2024-03-12 18:31 – Updated: 2024-03-12 18:31Skype for Consumer Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-21411"
],
"database_specific": {
"cwe_ids": [
"CWE-453"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-12T17:15:50Z",
"severity": "HIGH"
},
"details": "Skype for Consumer Remote Code Execution Vulnerability",
"id": "GHSA-5r5j-mwfc-hgxh",
"modified": "2024-03-12T18:31:12Z",
"published": "2024-03-12T18:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21411"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-67Q8-HW3V-9FJ4
Vulnerability from github – Published: 2024-08-16 00:32 – Updated: 2024-08-16 18:30In onForegroundServiceButtonClicked of FooterActionsViewModel.kt, there is a possible way to disable the active VPN app from the lockscreen due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-34734"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-453"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-15T22:15:06Z",
"severity": "HIGH"
},
"details": "In onForegroundServiceButtonClicked of FooterActionsViewModel.kt, there is a possible way to disable the active VPN app from the lockscreen due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-67q8-hw3v-9fj4",
"modified": "2024-08-16T18:30:57Z",
"published": "2024-08-16T00:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34734"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/207584fb6f820eba14251251d7e9331bfd57adb8"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2024-08-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-879P-8GW4-MCPW
Vulnerability from github – Published: 2024-03-15 19:01 – Updated: 2024-03-15 19:01Impact
Any users whom would not desire a traceback to be included in their logs whenever an error is raised in their code will be affected.
If users have inadvertently created a scenario in their code that could cause a traceback to include sensitive information and a malicious entity gained access to their log stream, this could create an issue.
Patches
None yet... users will need to upgrade to 0.4.*
Workarounds
No particularly reasonable ones at present.
References
- https://cwe.mitre.org/data/definitions/453.html
- https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/stack-trace-disclosure-python/
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fgr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-453"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-15T19:01:10Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nAny users whom would not desire a traceback to be included in their logs whenever an error is raised in their code will be affected.\n\nIf users have inadvertently created a scenario in their code that could cause a traceback to include sensitive information _and_ a malicious entity gained access to their log stream, this could create an issue.\n\n### Patches\nNone yet... users will need to upgrade to `0.4.*`\n\n### Workarounds\nNo particularly reasonable ones at present.\n\n### References\n* https://cwe.mitre.org/data/definitions/453.html\n* https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/stack-trace-disclosure-python/",
"id": "GHSA-879p-8gw4-mcpw",
"modified": "2024-03-15T19:01:10Z",
"published": "2024-03-15T19:01:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dan1hc/fgr/security/advisories/GHSA-879p-8gw4-mcpw"
},
{
"type": "PACKAGE",
"url": "https://github.com/dan1hc/fgr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": " fgr Vulnerable to Insecure Default Variable Initialization"
}
Mitigation
Disable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled.
No CAPEC attack patterns related to this CWE.