CWE-453
AllowedInsecure Default Variable Initialization
Abstraction: Variant · Status: Draft
The product, by default, initializes an internal variable with an insecure or less secure value than is possible.
34 vulnerabilities reference this CWE, most recent first.
GHSA-QPCR-MXC8-RJF5
Vulnerability from github – Published: 2022-10-21 19:01 – Updated: 2022-10-24 19:00A vulnerability classified as problematic has been found in Linux Kernel. This affects the function rtl8188f_spur_calibration of the file drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8188f.c of the component Wireless. The manipulation of the argument hw_ctrl_s1/sw_ctrl_s1 leads to use of uninitialized variable. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211959.
{
"affected": [],
"aliases": [
"CVE-2022-3642"
],
"database_specific": {
"cwe_ids": [
"CWE-453",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-21T16:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in Linux Kernel. This affects the function rtl8188f_spur_calibration of the file drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8188f.c of the component Wireless. The manipulation of the argument hw_ctrl_s1/sw_ctrl_s1 leads to use of uninitialized variable. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211959.",
"id": "GHSA-qpcr-mxc8-rjf5",
"modified": "2022-10-24T19:00:16Z",
"published": "2022-10-21T19:01:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3642"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git/commit/?id=80e5acb6dd72b25a6e6527443b9e9c1c3a7bcef6"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.211959"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VW7M-649J-QH5X
Vulnerability from github – Published: 2023-01-19 18:30 – Updated: 2025-11-04 21:30An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the codeinjection_foot for a post.
{
"affected": [],
"aliases": [
"CVE-2022-47197"
],
"database_specific": {
"cwe_ids": [
"CWE-453",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-19T18:15:00Z",
"severity": "MODERATE"
},
"details": "An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.",
"id": "GHSA-vw7m-649j-qh5x",
"modified": "2025-11-04T21:30:28Z",
"published": "2023-01-19T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47197"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VX4R-H2XH-2C27
Vulnerability from github – Published: 2023-01-19 18:30 – Updated: 2025-11-04 21:30An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the codeinjection_head for a post.
{
"affected": [],
"aliases": [
"CVE-2022-47196"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-453",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-19T18:15:00Z",
"severity": "MODERATE"
},
"details": "An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_head` for a post.",
"id": "GHSA-vx4r-h2xh-2c27",
"modified": "2025-11-04T21:30:28Z",
"published": "2023-01-19T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47196"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W638-4H8H-246J
Vulnerability from github – Published: 2025-03-25 00:30 – Updated: 2025-03-25 00:30A vulnerability was found in GNOME libgsf up to 1.14.53 and classified as problematic. Affected by this issue is the function gsf_base64_encode_simple. The manipulation of the argument size leads to use of uninitialized variable. The attack needs to be approached locally. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-2720"
],
"database_specific": {
"cwe_ids": [
"CWE-453"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-25T00:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in GNOME libgsf up to 1.14.53 and classified as problematic. Affected by this issue is the function gsf_base64_encode_simple. The manipulation of the argument size leads to use of uninitialized variable. The attack needs to be approached locally. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-w638-4h8h-246j",
"modified": "2025-03-25T00:30:27Z",
"published": "2025-03-25T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2720"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.300740"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.300740"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.520180"
},
{
"type": "WEB",
"url": "https://www.gnome.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Disable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled.
No CAPEC attack patterns related to this CWE.