Common Weakness Enumeration

CWE-453

Allowed

Insecure Default Variable Initialization

Abstraction: Variant · Status: Draft

The product, by default, initializes an internal variable with an insecure or less secure value than is possible.

34 vulnerabilities reference this CWE, most recent first.

GHSA-QPCR-MXC8-RJF5

Vulnerability from github – Published: 2022-10-21 19:01 – Updated: 2022-10-24 19:00
VLAI
Details

A vulnerability classified as problematic has been found in Linux Kernel. This affects the function rtl8188f_spur_calibration of the file drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8188f.c of the component Wireless. The manipulation of the argument hw_ctrl_s1/sw_ctrl_s1 leads to use of uninitialized variable. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211959.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-453",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-21T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic has been found in Linux Kernel. This affects the function rtl8188f_spur_calibration of the file drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8188f.c of the component Wireless. The manipulation of the argument hw_ctrl_s1/sw_ctrl_s1 leads to use of uninitialized variable. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211959.",
  "id": "GHSA-qpcr-mxc8-rjf5",
  "modified": "2022-10-24T19:00:16Z",
  "published": "2022-10-21T19:01:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3642"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git/commit/?id=80e5acb6dd72b25a6e6527443b9e9c1c3a7bcef6"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.211959"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VW7M-649J-QH5X

Vulnerability from github – Published: 2023-01-19 18:30 – Updated: 2025-11-04 21:30
VLAI
Details

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the codeinjection_foot for a post.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-453",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-19T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.",
  "id": "GHSA-vw7m-649j-qh5x",
  "modified": "2025-11-04T21:30:28Z",
  "published": "2023-01-19T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47197"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VX4R-H2XH-2C27

Vulnerability from github – Published: 2023-01-19 18:30 – Updated: 2025-11-04 21:30
VLAI
Details

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the codeinjection_head for a post.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-453",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-19T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_head` for a post.",
  "id": "GHSA-vx4r-h2xh-2c27",
  "modified": "2025-11-04T21:30:28Z",
  "published": "2023-01-19T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47196"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W638-4H8H-246J

Vulnerability from github – Published: 2025-03-25 00:30 – Updated: 2025-03-25 00:30
VLAI
Details

A vulnerability was found in GNOME libgsf up to 1.14.53 and classified as problematic. Affected by this issue is the function gsf_base64_encode_simple. The manipulation of the argument size leads to use of uninitialized variable. The attack needs to be approached locally. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-453"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-25T00:15:15Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in GNOME libgsf up to 1.14.53 and classified as problematic. Affected by this issue is the function gsf_base64_encode_simple. The manipulation of the argument size leads to use of uninitialized variable. The attack needs to be approached locally. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-w638-4h8h-246j",
  "modified": "2025-03-25T00:30:27Z",
  "published": "2025-03-25T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2720"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.300740"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.300740"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.520180"
    },
    {
      "type": "WEB",
      "url": "https://www.gnome.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
System Configuration

Disable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled.

No CAPEC attack patterns related to this CWE.