Common Weakness Enumeration

CWE-749

Allowed

Exposed Dangerous Method or Function

Abstraction: Base · Status: Incomplete

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

303 vulnerabilities reference this CWE, most recent first.

GHSA-WQ34-QCH7-HR2G

Vulnerability from github – Published: 2023-03-09 00:30 – Updated: 2023-03-15 21:30
VLAI
Details

REMAP cmd of SVM driver can be used to remap read only memory as read-write, then cause read only memory/file modified.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-08T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "REMAP cmd of SVM driver can be used to remap read only memory as read-write, then cause read only memory/file modified.",
  "id": "GHSA-wq34-qch7-hr2g",
  "modified": "2023-03-15T21:30:26Z",
  "published": "2023-03-09T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33639"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openeuler/kernel/commit/e4d0684a3ce68e7f8e11408121e791cd80312b27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW7H-G2QF-7XV6

Vulnerability from github – Published: 2025-01-14 15:40 – Updated: 2025-05-21 14:13
VLAI
Summary
TYPO3 Form Framework Module vulnerable to Cross-Site Request Forgery
Details

Problem

A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.

Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:

  • the user opens a malicious link, such as one sent via email.
  • the user visits a compromised or manipulated website while the following settings are misconfigured:
  • security.backend.enforceReferrer feature is disabled,
  • BE/cookieSameSite configuration is set to lax or none

The vulnerability in the affected downstream component “Form Framework Module” allows attackers to manipulate or delete persisted form definitions.

Solution

Update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.

Credits

Thanks to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.

References

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.4.47"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-form"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.48"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.5.41"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-form"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.5.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.4.24"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-form"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 13.4.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-form"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55922"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352",
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-14T15:40:37Z",
    "nvd_published_at": "2025-01-14T20:15:30Z",
    "severity": "MODERATE"
  },
  "details": "### Problem\nA vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.\n\nSuccessful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:\n\n* the user opens a malicious link, such as one sent via email.\n* the user visits a compromised or manipulated website while the following settings are misconfigured:\n  + `security.backend.enforceReferrer` feature is disabled,\n  + `BE/cookieSameSite` configuration is set to `lax` or `none`\n\nThe vulnerability in the affected downstream component \u201cForm Framework Module\u201d allows attackers to manipulate or delete persisted form definitions.\n\n### Solution\nUpdate to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.\n\n### Credits\nThanks to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias H\u00e4u\u00dfler who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2025-007](https://typo3.org/security/advisory/typo3-core-sa-2025-007)",
  "id": "GHSA-ww7h-g2qf-7xv6",
  "modified": "2025-05-21T14:13:01Z",
  "published": "2025-01-14T15:40:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-ww7h-g2qf-7xv6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55922"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/form/commit/93327743f5dfd31c44898ce16e3e004e05f8ba5f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3-CMS/form"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TYPO3 Form Framework Module vulnerable to Cross-Site Request Forgery"
}

GHSA-WX95-XVQF-3525

Vulnerability from github – Published: 2026-06-10 15:31 – Updated: 2026-06-10 15:31
VLAI
Details

A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could allow a website visited by the built-in browser to overwrite system clipboard contents.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-10T15:16:42Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could allow a website visited by the built-in browser to overwrite system clipboard contents.",
  "id": "GHSA-wx95-xvqf-3525",
  "modified": "2026-06-10T15:31:33Z",
  "published": "2026-06-10T15:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7516"
    },
    {
      "type": "WEB",
      "url": "https://iknow.lenovo.com.cn/detail/440821"
    },
    {
      "type": "WEB",
      "url": "https://shop.lenovo.com.cn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X63C-C6FQ-2VVQ

Vulnerability from github – Published: 2022-05-17 00:16 – Updated: 2022-05-17 00:16
VLAI
Details

TIT-AL00 smartphones with software versions earlier before TIT-AL00C583B214 have a exposed system interface vulnerability. The software provides a system interface for interaction with external applications, but calling the interface is not properly restricted. An attacker could trick the user into installing a malicious application to call the interface and modify the system properties.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-22T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "TIT-AL00 smartphones with software versions earlier before TIT-AL00C583B214 have a exposed system interface vulnerability. The software provides a system interface for interaction with external applications, but calling the interface is not properly restricted. An attacker could trick the user into installing a malicious application to call the interface and modify the system properties.",
  "id": "GHSA-x63c-c6fq-2vvq",
  "modified": "2022-05-17T00:16:44Z",
  "published": "2022-05-17T00:16:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2735"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-smartphone-en"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97224"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X6QJ-4H56-5RJ5

Vulnerability from github – Published: 2026-06-16 23:39 – Updated: 2026-06-16 23:39
VLAI
Summary
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
Details

Summary

This is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.

Details

The fix for GHSA-6m52-m754-pw2g added an Origin / Referer fallback to the dev-middleware same-origin check, with a return true branch when neither header is present so that non-browser clients (curl, the HMR client, address-bar navigation) keep working.

That fallback is bypassed when a cross-origin attacker request reaches the dev server with all three signal headers absent:

  • Sec-Fetch-Site is not sent by browsers to non-potentially-trustworthy destinations (HTTP on a non-loopback address).
  • Origin is not sent on non-CORS subresource fetches (a bare <script> with no crossorigin).
  • Referer can be suppressed by the attacker page with <meta name="referrer" content="no-referrer"> or referrerpolicy="no-referrer" on the <script> element.

A classic <script src="http://VICTIM_LAN_IP:3000/_nuxt/app.js" referrerpolicy="no-referrer"> from a non-trustworthy attacker origin produces exactly that header set, the request is allowed, and the attacker page can read the built source out of window.webpackChunk* via Function.prototype.toString().

Since the attack requires the dev server to be reachable via a non-potentially-trustworthy origin, only apps using --host (or --host 0.0.0.0) are affected. Chrome 142+ users are also protected by Local Network Access restrictions.

PoC

  1. Create a Nuxt project with the webpack / rspack builder.
  2. Run npm run dev -- --host 0.0.0.0.
  3. Open http://localhost:3000 on the developer machine.
  4. From a different LAN host, serve the page below and open it in the same browser.
  5. The compiled module source is exfiltrable from window.webpackChunknuxt_<projectname>.
<!doctype html>
<meta name="referrer" content="no-referrer">
<script>
  ['/_nuxt/runtime.js', '/_nuxt/app.js'].forEach(p => {
    const s = document.createElement('script')
    s.src = 'http://VICTIM_LAN_IP:3000' + p
    s.referrerPolicy = 'no-referrer'
    document.head.appendChild(s)
  })
  setTimeout(() => {
    const key = Object.keys(window).find(k => k.startsWith('webpackChunk'))
    for (const [, mods] of window[key]) {
      for (const id in mods) {
        console.log(id, mods[id].toString())
      }
    }
  }, 1500)
</script>

Impact

Users using the webpack / rspack builder with nuxt dev --host may get the built source code read by malicious websites on the same network, including module identifiers, the developer's local filesystem path, and any developer-controlled strings inlined into the bundle.

This vulnerability does not affect Chrome 142+ (and other Chromium-based browsers) users due to Local Network Access restrictions.

The default Vite builder is not affected.

Patches

Fixed in @nuxt/webpack-builder@4.4.7 / @nuxt/rspack-builder@4.4.7 and backported to @nuxt/webpack-builder@3.21.7 / @nuxt/rspack-builder@3.21.7 by #35200 (4.x: commit e351de94; 3.x: commit 77187ee4). The dev-middleware same-origin check now treats a request with no Sec-Fetch-Site, no Origin, and no Referer as same-origin only when the dev server is loopback-bound, closing the header-suppression bypass.

The fix only ships for the @nuxt/webpack-builder and @nuxt/rspack-builder packages. The default Vite builder was not affected.

Workarounds

If you cannot upgrade immediately:

  • Don't use nuxt dev --host. Bind the dev server to localhost (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.
  • Use Chrome 142+ or another Chromium-based browser that enforces Local Network Access restrictions.
  • Switch to the Vite builder for development.

Credit

Reported by Berkan SAL (@Uhudsavasindankacanokcu2) via the Vercel Open Source HackerOne program.

Independently reported by @DavidCarliez via GitHub's coordinated disclosure flow (GHSA-xw96-2f5x-v9pv), closed as a duplicate of this advisory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/webpack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/webpack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.15.4"
            },
            {
              "fixed": "3.21.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/rspack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nuxt/rspack-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.15.4"
            },
            {
              "fixed": "3.21.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T23:39:16Z",
    "nvd_published_at": "2026-06-12T14:16:32Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThis is an incomplete fix for [GHSA-6m52-m754-pw2g](https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g). Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. `nuxt dev --host`) and the developer opens a malicious site on the same network.\n\n### Details\nThe fix for [GHSA-6m52-m754-pw2g](https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g) added an `Origin` / `Referer` fallback to the dev-middleware same-origin check, with a `return true` branch when neither header is present so that non-browser clients (curl, the HMR client, address-bar navigation) keep working.\n\nThat fallback is bypassed when a cross-origin attacker request reaches the dev server with all three signal headers absent:\n\n- `Sec-Fetch-Site` is [not sent by browsers to non-potentially-trustworthy destinations](https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header) (HTTP on a non-loopback address).\n- `Origin` is not sent on non-CORS subresource fetches (a bare `\u003cscript\u003e` with no `crossorigin`).\n- `Referer` can be suppressed by the attacker page with `\u003cmeta name=\"referrer\" content=\"no-referrer\"\u003e` or `referrerpolicy=\"no-referrer\"` on the `\u003cscript\u003e` element.\n\nA classic `\u003cscript src=\"http://VICTIM_LAN_IP:3000/_nuxt/app.js\" referrerpolicy=\"no-referrer\"\u003e` from a non-trustworthy attacker origin produces exactly that header set, the request is allowed, and the attacker page can read the built source out of `window.webpackChunk*` via `Function.prototype.toString()`.\n\nSince the attack requires the dev server to be reachable via a non-potentially-trustworthy origin, only apps using `--host` (or `--host 0.0.0.0`) are affected. Chrome 142+ users are also protected by [Local Network Access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n\n### PoC\n1. Create a Nuxt project with the webpack / rspack builder.\n1. Run `npm run dev -- --host 0.0.0.0`.\n1. Open `http://localhost:3000` on the developer machine.\n1. From a different LAN host, serve the page below and open it in the same browser.\n1. The compiled module source is exfiltrable from `window.webpackChunknuxt_\u003cprojectname\u003e`.\n\n```html\n\u003c!doctype html\u003e\n\u003cmeta name=\"referrer\" content=\"no-referrer\"\u003e\n\u003cscript\u003e\n  [\u0027/_nuxt/runtime.js\u0027, \u0027/_nuxt/app.js\u0027].forEach(p =\u003e {\n    const s = document.createElement(\u0027script\u0027)\n    s.src = \u0027http://VICTIM_LAN_IP:3000\u0027 + p\n    s.referrerPolicy = \u0027no-referrer\u0027\n    document.head.appendChild(s)\n  })\n  setTimeout(() =\u003e {\n    const key = Object.keys(window).find(k =\u003e k.startsWith(\u0027webpackChunk\u0027))\n    for (const [, mods] of window[key]) {\n      for (const id in mods) {\n        console.log(id, mods[id].toString())\n      }\n    }\n  }, 1500)\n\u003c/script\u003e\n```\n\n### Impact\nUsers using the webpack / rspack builder with `nuxt dev --host` may get the built source code read by malicious websites on the same network, including module identifiers, the developer\u0027s local filesystem path, and any developer-controlled strings inlined into the bundle.\n\nThis vulnerability does not affect Chrome 142+ (and other Chromium-based browsers) users due to [Local Network Access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n\nThe default Vite builder is not affected.\n\n### Patches\nFixed in `@nuxt/webpack-builder@4.4.7` / `@nuxt/rspack-builder@4.4.7` and backported to `@nuxt/webpack-builder@3.21.7` / `@nuxt/rspack-builder@3.21.7` by [#35200](https://github.com/nuxt/nuxt/pull/35200) (4.x: commit [`e351de94`](https://github.com/nuxt/nuxt/commit/e351de943e82db16970618b60dc7fdbaa58630f3); 3.x: commit [`77187ee4`](https://github.com/nuxt/nuxt/commit/77187ee4015e9267fb464951542a3e09e8b5fa05)). The dev-middleware same-origin check now treats a request with no `Sec-Fetch-Site`, no `Origin`, and no `Referer` as same-origin only when the dev server is loopback-bound, closing the header-suppression bypass.\n\nThe fix only ships for the `@nuxt/webpack-builder` and `@nuxt/rspack-builder` packages. The default Vite builder was not affected.\n\n### Workarounds\nIf you cannot upgrade immediately:\n\n- Don\u0027t use `nuxt dev --host`. Bind the dev server to `localhost` (the default) and tunnel from other devices via SSH or a reverse proxy that enforces same-origin checks.\n- Use Chrome 142+ or another Chromium-based browser that enforces [Local Network Access restrictions](https://developer.chrome.com/release-notes/142#local_network_access_restrictions).\n- Switch to the Vite builder for development.\n\n### Credit\nReported by Berkan SAL ([@Uhudsavasindankacanokcu2](https://github.com/Uhudsavasindankacanokcu2)) via the Vercel Open Source HackerOne program.\n\nIndependently reported by [@DavidCarliez](https://github.com/DavidCarliez) via GitHub\u0027s coordinated disclosure flow (`GHSA-xw96-2f5x-v9pv`), closed as a duplicate of this advisory.",
  "id": "GHSA-x6qj-4h56-5rj5",
  "modified": "2026-06-16T23:39:17Z",
  "published": "2026-06-16T23:39:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49993"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/pull/35200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/77187ee4015e9267fb464951542a3e09e8b5fa05"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/e351de943e82db16970618b60dc7fdbaa58630f3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/nuxt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)"
}

GHSA-X76F-6Q7R-J9QQ

Vulnerability from github – Published: 2024-07-15 15:31 – Updated: 2024-07-15 15:31
VLAI
Details

Local Privilege Escalation in MSI-Installer in baramundi Management Agent v23.1.172.0 on Windows allows a local unprivileged user to escalate privileges to SYSTEM.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-15T14:15:03Z",
    "severity": "HIGH"
  },
  "details": "Local Privilege Escalation in MSI-Installer in baramundi Management Agent v23.1.172.0 on Windows allows a local unprivileged user to escalate privileges to SYSTEM.",
  "id": "GHSA-x76f-6q7r-j9qq",
  "modified": "2024-07-15T15:31:01Z",
  "published": "2024-07-15T15:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6689"
    },
    {
      "type": "WEB",
      "url": "https://www.baramundi.com/en-us/security-info/s-2024-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X77X-P923-HP6Q

Vulnerability from github – Published: 2025-12-24 00:30 – Updated: 2025-12-24 00:30
VLAI
Details

RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27658.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-23T22:15:49Z",
    "severity": "HIGH"
  },
  "details": "RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27658.",
  "id": "GHSA-x77x-p923-hp6q",
  "modified": "2025-12-24T00:30:16Z",
  "published": "2025-12-24T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14489"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1165"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7H5-VHW2-PMFF

Vulnerability from github – Published: 2026-05-04 18:30 – Updated: 2026-05-04 18:30
VLAI
Details

Memory corruption while processing IOCTL command when device is in power-save state.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-04T17:16:22Z",
    "severity": "MODERATE"
  },
  "details": "Memory corruption while processing IOCTL command when device is in power-save state.",
  "id": "GHSA-x7h5-vhw2-pmff",
  "modified": "2026-05-04T18:30:30Z",
  "published": "2026-05-04T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25266"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X86W-JCWP-263F

Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31
VLAI
Details

Voltronic Power ViewPower MonitorConsole Exposed Dangerous Method Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the MonitorConsole class. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-22024.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:16:17Z",
    "severity": "HIGH"
  },
  "details": "Voltronic Power ViewPower MonitorConsole Exposed Dangerous Method Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the MonitorConsole class. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-22024.",
  "id": "GHSA-x86w-jcwp-263f",
  "modified": "2024-05-03T03:31:07Z",
  "published": "2024-05-03T03:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51578"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1884"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XFP5-23MR-JWJM

Vulnerability from github – Published: 2025-07-17 21:32 – Updated: 2025-07-17 21:32
VLAI
Details

GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous method that allows reading and modifying files when a user adds a crafted dictionary and then searches for any term included in that dictionary.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-17T20:15:30Z",
    "severity": "CRITICAL"
  },
  "details": "GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous method that allows reading and modifying files when a user adds a crafted dictionary and then searches for any term included in that dictionary.",
  "id": "GHSA-xfp5-23mr-jwjm",
  "modified": "2025-07-17T21:32:16Z",
  "published": "2025-07-17T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53964"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goldendict/goldendict/releases"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tigr78/CVE-2025-53964"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:
  • Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
  • accessible to all users
  • restricted to a small set of privileged users
  • prevented from being directly accessible at all
CAPEC-500: WebView Injection

An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.