Common Weakness Enumeration

CWE-1188

Allowed

Initialization of a Resource with an Insecure Default

Abstraction: Base · Status: Incomplete

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

404 vulnerabilities reference this CWE, most recent first.

GHSA-83X9-MPVP-8R2X

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

Lobby Track Desktop contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-21T16:00:00Z",
    "severity": "HIGH"
  },
  "details": "Lobby Track Desktop contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application.",
  "id": "GHSA-83x9-mpvp-8r2x",
  "modified": "2022-05-13T01:19:27Z",
  "published": "2022-05-13T01:19:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17485"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/149645"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8444-4FHQ-FXPQ

Vulnerability from github – Published: 2026-05-29 22:29 – Updated: 2026-05-29 22:29
VLAI
Summary
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
Details

Summary

CVE-2026-44338 (GHSA-6rmh-7xcm-cpxj) documents that PraisonAI ships a code-generator (praisonai.deploy.api.generate_api_server_code) that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart (praisonai deploy --type api) get a server that:

  • binds to 0.0.0.0 per the recommended sample YAML
  • exposes /chat and /agents endpoints
  • runs praisonai.run() on user-supplied JSON input — LLM orchestration with the API key materials present in the process environment
  • does not require any authentication

The PyPI wheel praisonai==4.6.33 (current @latest) still ships the generator with auth_enabled defaulting to False. The fix shape is opt-in via APIConfig(auth_enabled=True, auth_token=...).

Details

Anchor (file:line:symbol)

  • Vulnerable artifact: praisonai==4.6.33 on PyPI.
  • Defaults: praisonai/deploy/models.py:29auth_enabled: bool = Field(default=False, ...); praisonai/deploy/models.py:30auth_token: Optional[str] = Field(default=None, ...).
  • Generator: praisonai/deploy/api.py:40AUTH_ENABLED = {config.auth_enabled}; api.py:41AUTH_TOKEN = {repr(config.auth_token)}; api.py:43-49def check_auth(): if not AUTH_ENABLED: return True.
  • CLI entry: documented as praisonai deploy --type api (vendor README); produces the generator output above with no flag required to suppress the warning, because no warning is emitted.

Vulnerable code (verbatim from installed wheel)

# praisonai/deploy/models.py (praisonai==4.6.33)
class APIConfig(BaseModel):
    host: str = Field(default="127.0.0.1", description="Server host")
    port: int = Field(default=8005, description="Server port")
    cors_enabled: bool = Field(default=True, description="Enable CORS")
    auth_enabled: bool = Field(default=False, description="Enable authentication")     # line 29
    auth_token: Optional[str] = Field(default=None, description="Authentication token") # line 30
# praisonai/deploy/api.py (praisonai==4.6.33)
code = f\'\'\'...
# Authentication
AUTH_ENABLED = {config.auth_enabled}      # False by default
AUTH_TOKEN   = {repr(config.auth_token)}  # None by default

def check_auth():
    if not AUTH_ENABLED:
        return True                       # short-circuit, accept all
    token = request.headers.get(\'Authorization\', \'\').replace(\'Bearer \', \'\')
    return token == AUTH_TOKEN
...
\'\'\'

A default invocation of the deploy command emits a server whose check_auth() short-circuits to True and accepts unauthenticated /chat, /agents POSTs.

PoC

#!/usr/bin/env python3
"""
legend-c420 PoC - PraisonAI 4.6.33 generates Flask API server with auth
disabled by default. Class H sibling of CVE-2026-44338.

Phase 1: reflect on praisonai.deploy.models.APIConfig defaults.
Phase 2: call generate_api_server_code(default config) and assert the
         emitted source contains AUTH_ENABLED = False and the
         short-circuit return.
Phase 3: re-run with auth_enabled=True, auth_token='s3cret-bearer-value'
         and confirm the emitted source flips to the secure shape.

Exit code 0 = PASS = vulnerable defaults confirmed.
"""
import sys, traceback

def phase1_dataclass_defaults():
    print("PHASE 1 - praisonai.deploy.models.APIConfig default values")
    from praisonai.deploy.models import APIConfig
    cfg = APIConfig()
    checks = [
        ("auth_enabled", cfg.auth_enabled, False),
        ("auth_token",   cfg.auth_token,   None),
    ]
    for name, observed, expected in checks:
        ok = observed == expected
        mark = "VULNERABLE" if name in ("auth_enabled","auth_token") and ok else "ok"
        print(f"  {name:14s} = {observed!r:18s}  (expected {expected!r})  [{mark}]")
        assert ok
    print("  >> APIConfig defaults reproduce the CVE-2026-44338 shape.")

def phase2_default_generator_emits_unauth():
    print("PHASE 2 - generate_api_server_code(default config) emits unauth server")
    from praisonai.deploy.models import APIConfig
    from praisonai.deploy.api import generate_api_server_code
    src = generate_api_server_code("agents.yaml", config=APIConfig())
    for needle in ["AUTH_ENABLED = False","AUTH_TOKEN = None","if not AUTH_ENABLED:","return True"]:
        assert needle in src, f"missing: {needle!r}"
        print(f"  [FOUND] {needle!r}")
    print("  >> Default-config generator emits Flask server with check_auth() short-circuit.")

def phase3_fix_shape_available():
    print("PHASE 3 - auth_enabled=True flips to secure shape")
    from praisonai.deploy.models import APIConfig
    from praisonai.deploy.api import generate_api_server_code
    cfg = APIConfig(auth_enabled=True, auth_token="s3cret-bearer-value")
    src = generate_api_server_code("agents.yaml", config=cfg)
    assert "AUTH_ENABLED = True" in src
    assert "AUTH_ENABLED = False" not in src
    print("  >> Fix shape works when toggled. Class H confirmed: default is insecure.")

def main():
    print("=" * 64)
    print("legend-c420 PoC - PraisonAI default-config AUTH_ENABLED=False")
    print("=" * 64)
    try:
        phase1_dataclass_defaults()
        phase2_default_generator_emits_unauth()
        phase3_fix_shape_available()
    except Exception:
        traceback.print_exc()
        print("FAIL"); sys.exit(2)
    print("PASS 3/3 phases. EXIT 0.")
    sys.exit(0)

if __name__ == "__main__":
    main()

PoC dependencies: praisonai==4.6.33 from PyPI. Tested on Python 3.11.

Run log verdict: PASS 3/3 phases. EXIT 0. — vulnerable-default shape confirmed. auth_enabled=False by default, check_auth() short-circuits to True, fix toggle exists but is opt-in.

Impact

An operator who runs the vendor-documented quickstart (pip install praisonai && praisonai deploy --type api) gets a network-reachable Flask server that invokes praisonai.run() on attacker-supplied JSON with the user's LLM API keys in the process environment. The attacker reaches arbitrary LLM-orchestration (including any tool-use the agents define, which in PraisonAI commonly includes python_repl, bash, file I/O, and HTTP calls), with the host's API-key credit billed to the operator.

  • Belief: CVE-2026-44338 was filed and triaged.
  • Reality: praisonai==4.6.33 is current @latest on PyPI (2026-05-16). The generator still defaults to auth_enabled=False.
  • Gap: The CVE acknowledges the fix shape exists. The fix is opt-in. The default-config consumer remains vulnerable.

Parent CVE: CVE-2026-44338 / GHSA-6rmh-7xcm-cpxj

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.39"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T22:29:20Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nCVE-2026-44338 (GHSA-6rmh-7xcm-cpxj) documents that PraisonAI ships a code-generator (`praisonai.deploy.api.generate_api_server_code`) that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart (`praisonai deploy --type api`) get a server that:\n\n- binds to `0.0.0.0` per the recommended sample YAML\n- exposes `/chat` and `/agents` endpoints\n- runs `praisonai.run()` on user-supplied JSON input \u2014 LLM orchestration with the API key materials present in the process environment\n- does not require any authentication\n\nThe PyPI wheel `praisonai==4.6.33` (current `@latest`) still ships the generator with `auth_enabled` defaulting to `False`. The fix shape is opt-in via `APIConfig(auth_enabled=True, auth_token=...)`.\n\n### Details\n\n**Anchor (file:line:symbol)**\n\n- Vulnerable artifact: `praisonai==4.6.33` on PyPI.\n- Defaults: `praisonai/deploy/models.py:29` \u2014 `auth_enabled: bool = Field(default=False, ...)`; `praisonai/deploy/models.py:30` \u2014 `auth_token: Optional[str] = Field(default=None, ...)`.\n- Generator: `praisonai/deploy/api.py:40` \u2014 `AUTH_ENABLED = {config.auth_enabled}`; `api.py:41` \u2014 `AUTH_TOKEN = {repr(config.auth_token)}`; `api.py:43-49` \u2014 `def check_auth(): if not AUTH_ENABLED: return True`.\n- CLI entry: documented as `praisonai deploy --type api` (vendor README); produces the generator output above with no flag required to suppress the warning, because no warning is emitted.\n\n**Vulnerable code (verbatim from installed wheel)**\n\n```python\n# praisonai/deploy/models.py (praisonai==4.6.33)\nclass APIConfig(BaseModel):\n    host: str = Field(default=\"127.0.0.1\", description=\"Server host\")\n    port: int = Field(default=8005, description=\"Server port\")\n    cors_enabled: bool = Field(default=True, description=\"Enable CORS\")\n    auth_enabled: bool = Field(default=False, description=\"Enable authentication\")     # line 29\n    auth_token: Optional[str] = Field(default=None, description=\"Authentication token\") # line 30\n```\n\n```python\n# praisonai/deploy/api.py (praisonai==4.6.33)\ncode = f\\\u0027\\\u0027\\\u0027...\n# Authentication\nAUTH_ENABLED = {config.auth_enabled}      # False by default\nAUTH_TOKEN   = {repr(config.auth_token)}  # None by default\n\ndef check_auth():\n    if not AUTH_ENABLED:\n        return True                       # short-circuit, accept all\n    token = request.headers.get(\\\u0027Authorization\\\u0027, \\\u0027\\\u0027).replace(\\\u0027Bearer \\\u0027, \\\u0027\\\u0027)\n    return token == AUTH_TOKEN\n...\n\\\u0027\\\u0027\\\u0027\n```\n\nA default invocation of the deploy command emits a server whose `check_auth()` short-circuits to `True` and accepts unauthenticated `/chat`, `/agents` POSTs.\n\n### PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nlegend-c420 PoC - PraisonAI 4.6.33 generates Flask API server with auth\ndisabled by default. Class H sibling of CVE-2026-44338.\n\nPhase 1: reflect on praisonai.deploy.models.APIConfig defaults.\nPhase 2: call generate_api_server_code(default config) and assert the\n         emitted source contains AUTH_ENABLED = False and the\n         short-circuit return.\nPhase 3: re-run with auth_enabled=True, auth_token=\u0027s3cret-bearer-value\u0027\n         and confirm the emitted source flips to the secure shape.\n\nExit code 0 = PASS = vulnerable defaults confirmed.\n\"\"\"\nimport sys, traceback\n\ndef phase1_dataclass_defaults():\n    print(\"PHASE 1 - praisonai.deploy.models.APIConfig default values\")\n    from praisonai.deploy.models import APIConfig\n    cfg = APIConfig()\n    checks = [\n        (\"auth_enabled\", cfg.auth_enabled, False),\n        (\"auth_token\",   cfg.auth_token,   None),\n    ]\n    for name, observed, expected in checks:\n        ok = observed == expected\n        mark = \"VULNERABLE\" if name in (\"auth_enabled\",\"auth_token\") and ok else \"ok\"\n        print(f\"  {name:14s} = {observed!r:18s}  (expected {expected!r})  [{mark}]\")\n        assert ok\n    print(\"  \u003e\u003e APIConfig defaults reproduce the CVE-2026-44338 shape.\")\n\ndef phase2_default_generator_emits_unauth():\n    print(\"PHASE 2 - generate_api_server_code(default config) emits unauth server\")\n    from praisonai.deploy.models import APIConfig\n    from praisonai.deploy.api import generate_api_server_code\n    src = generate_api_server_code(\"agents.yaml\", config=APIConfig())\n    for needle in [\"AUTH_ENABLED = False\",\"AUTH_TOKEN = None\",\"if not AUTH_ENABLED:\",\"return True\"]:\n        assert needle in src, f\"missing: {needle!r}\"\n        print(f\"  [FOUND] {needle!r}\")\n    print(\"  \u003e\u003e Default-config generator emits Flask server with check_auth() short-circuit.\")\n\ndef phase3_fix_shape_available():\n    print(\"PHASE 3 - auth_enabled=True flips to secure shape\")\n    from praisonai.deploy.models import APIConfig\n    from praisonai.deploy.api import generate_api_server_code\n    cfg = APIConfig(auth_enabled=True, auth_token=\"s3cret-bearer-value\")\n    src = generate_api_server_code(\"agents.yaml\", config=cfg)\n    assert \"AUTH_ENABLED = True\" in src\n    assert \"AUTH_ENABLED = False\" not in src\n    print(\"  \u003e\u003e Fix shape works when toggled. Class H confirmed: default is insecure.\")\n\ndef main():\n    print(\"=\" * 64)\n    print(\"legend-c420 PoC - PraisonAI default-config AUTH_ENABLED=False\")\n    print(\"=\" * 64)\n    try:\n        phase1_dataclass_defaults()\n        phase2_default_generator_emits_unauth()\n        phase3_fix_shape_available()\n    except Exception:\n        traceback.print_exc()\n        print(\"FAIL\"); sys.exit(2)\n    print(\"PASS 3/3 phases. EXIT 0.\")\n    sys.exit(0)\n\nif __name__ == \"__main__\":\n    main()\n```\n\n**PoC dependencies:** `praisonai==4.6.33` from PyPI. Tested on Python 3.11.\n\n**Run log verdict:** `PASS 3/3 phases. EXIT 0.` \u2014 vulnerable-default shape confirmed. `auth_enabled=False` by default, `check_auth()` short-circuits to `True`, fix toggle exists but is opt-in.\n\n### Impact\n\nAn operator who runs the vendor-documented quickstart (`pip install praisonai \u0026\u0026 praisonai deploy --type api`) gets a network-reachable Flask server that invokes `praisonai.run()` on attacker-supplied JSON with the user\u0027s LLM API keys in the process environment. The attacker reaches arbitrary LLM-orchestration (including any tool-use the agents define, which in PraisonAI commonly includes `python_repl`, `bash`, file I/O, and HTTP calls), with the host\u0027s API-key credit billed to the operator.\n\n- **Belief:** CVE-2026-44338 was filed and triaged.\n- **Reality:** `praisonai==4.6.33` is current `@latest` on PyPI (2026-05-16). The generator still defaults to `auth_enabled=False`.\n- **Gap:** The CVE acknowledges the fix shape exists. The fix is opt-in. The default-config consumer remains vulnerable.\n\n**Parent CVE:** CVE-2026-44338 / GHSA-6rmh-7xcm-cpxj",
  "id": "GHSA-8444-4fhq-fxpq",
  "modified": "2026-05-29T22:29:20Z",
  "published": "2026-05-29T22:29:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8444-4fhq-fxpq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-6rmh-7xcm-cpxj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default"
}

GHSA-85XP-66C9-65FX

Vulnerability from github – Published: 2025-05-30 00:31 – Updated: 2025-05-30 00:31
VLAI
Details

The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Even though it is possible to change this by SSHing into the device, it has remained unchanged on every installed system observed. This account is not root but holds high-level permissions that could severely impact the device's operation if exploited.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-30T00:15:23Z",
    "severity": "CRITICAL"
  },
  "details": "The CS5000 Fire Panel is vulnerable due to a default account that exists\n on the panel. Even though it is possible to change this by SSHing into \nthe device, it has remained unchanged on every installed system \nobserved. This account is not root but holds high-level permissions that\n could severely impact the device\u0027s operation if exploited.",
  "id": "GHSA-85xp-66c9-65fx",
  "modified": "2025-05-30T00:31:14Z",
  "published": "2025-05-30T00:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41438"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-148-03"
    },
    {
      "type": "WEB",
      "url": "https://www.consiliumsafety.com/en/support"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-864F-7XJM-2JP2

Vulnerability from github – Published: 2025-04-25 06:30 – Updated: 2025-05-05 21:57
VLAI
Summary
CNCF K3s Kubernetes kubelet configuration exposes credentials
Details

CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/k3s-io/k3s"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.32.0-rc1"
            },
            {
              "fixed": "1.32.4-rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-25T15:07:32Z",
    "nvd_published_at": "2025-04-25T05:15:33Z",
    "severity": "MODERATE"
  },
  "details": "CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.",
  "id": "GHSA-864f-7xjm-2jp2",
  "modified": "2025-05-05T21:57:30Z",
  "published": "2025-04-25T06:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46599"
    },
    {
      "type": "WEB",
      "url": "https://github.com/f1veT/BUG/issues/2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/k3s-io/k3s/issues/12164"
    },
    {
      "type": "WEB",
      "url": "https://github.com/k3s-io/k3s/commit/097b63e588e3c844cdf9b967bcd0a69f4fc0aa0a"
    },
    {
      "type": "WEB",
      "url": "https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/k3s-io/k3s"
    },
    {
      "type": "WEB",
      "url": "https://github.com/k3s-io/k3s/compare/v1.32.3+k3s1...v1.32.4-rc1+k3s1"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3646"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CNCF K3s Kubernetes kubelet configuration exposes credentials"
}

GHSA-8CJR-R29R-M28V

Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-17 00:00
VLAI
Details

In WiFi, there is a possible disclosure of WiFi password to the end user due to an insecure default value. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-143534321

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-12T15:15:00Z",
    "severity": "LOW"
  },
  "details": "In WiFi, there is a possible disclosure of WiFi password to the end user due to an insecure default value. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-143534321",
  "id": "GHSA-8cjr-r29r-m28v",
  "modified": "2022-08-17T00:00:33Z",
  "published": "2022-08-13T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20342"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8H6X-WRC8-G9XC

Vulnerability from github – Published: 2022-05-21 00:01 – Updated: 2022-06-02 00:00
VLAI
Details

A vulnerability has been identified in SIMATIC PCS 7 V9.0 and earlier (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC Runtime Professional V16 and earlier (All versions), SIMATIC WinCC Runtime Professional V17 (All versions), SIMATIC WinCC V7.4 and earlier (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 8). An authenticated attacker could escape the WinCC Kiosk Mode by opening the printer dialog in the affected application in case no printer is installed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-20T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in SIMATIC PCS 7 V9.0 and earlier (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC Runtime Professional V16 and earlier (All versions), SIMATIC WinCC Runtime Professional V17 (All versions), SIMATIC WinCC V7.4 and earlier (All versions), SIMATIC WinCC V7.5 (All versions \u003c V7.5 SP2 Update 8). An authenticated attacker could escape the WinCC Kiosk Mode by opening the printer dialog in the affected application in case no printer is installed.",
  "id": "GHSA-8h6x-wrc8-g9xc",
  "modified": "2022-06-02T00:00:34Z",
  "published": "2022-05-21T00:01:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24287"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-363107.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8HJ4-PMP7-HG69

Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2022-05-13 01:46
VLAI
Details

A vulnerability in AsyncOS for the Cisco Web Security Appliance (WSA) could allow an unauthenticated, local attacker to log in to the device with the privileges of a limited user or an unauthenticated, remote attacker to authenticate to certain areas of the web GUI, aka a Static Credentials Vulnerability. Affected Products: virtual and hardware versions of Cisco Web Security Appliance (WSA). More Information: CSCve06124. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-25T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in AsyncOS for the Cisco Web Security Appliance (WSA) could allow an unauthenticated, local attacker to log in to the device with the privileges of a limited user or an unauthenticated, remote attacker to authenticate to certain areas of the web GUI, aka a Static Credentials Vulnerability. Affected Products: virtual and hardware versions of Cisco Web Security Appliance (WSA). More Information: CSCve06124. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270.",
  "id": "GHSA-8hj4-pmp7-hg69",
  "modified": "2022-05-13T01:46:46Z",
  "published": "2022-05-13T01:46:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6750"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170719-wsa4"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99924"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038958"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8M73-W2R2-6XXJ

Vulnerability from github – Published: 2020-07-29 17:29 – Updated: 2023-03-03 00:01
VLAI
Summary
Insecure defaults in UmbracoForms
Details

This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "UmbracoForms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-29T17:28:16Z",
    "nvd_published_at": "2020-07-28T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.",
  "id": "GHSA-8m73-w2r2-6xxj",
  "modified": "2023-03-03T00:01:57Z",
  "published": "2020-07-29T17:29:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7685"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-DOTNET-UMBRACOFORMS-595765"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insecure defaults in UmbracoForms"
}

GHSA-8MWR-27X6-VJ6V

Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35
VLAI
Details

Martem TELEM GW6/GWM versions prior to 2.0.87-4018403-k4 may allow unprivileged users to modify/upload a new system configuration or take the full control over the RTU using default credentials to connect to the RTU.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-01T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Martem TELEM GW6/GWM versions prior to 2.0.87-4018403-k4 may allow unprivileged users to modify/upload a new system configuration or take the full control over the RTU using default credentials to connect to the RTU.",
  "id": "GHSA-8mwr-27x6-vj6v",
  "modified": "2022-05-13T01:35:00Z",
  "published": "2022-05-13T01:35:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10605"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-142-01"
    },
    {
      "type": "WEB",
      "url": "https://martem.eu/csa/Martem_CSA_Telem_1805183.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8Q86-4X73-99V8

Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2025-02-26 00:32
VLAI
Details

The EDS-4000/G4000 Series prior to version 3.2 includes IP forwarding capabilities that users cannot deactivate. An attacker may be able to send requests to the product and have it forwarded to the target. An attacker can bypass access controls or hide the source of malicious requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-441"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-26T16:27:49Z",
    "severity": "MODERATE"
  },
  "details": "The EDS-4000/G4000 Series prior to version 3.2 includes IP forwarding capabilities that users cannot deactivate. An attacker may be able to send requests to the product and have it forwarded to the target. An attacker can bypass access controls or hide the source of malicious requests.",
  "id": "GHSA-8q86-4x73-99v8",
  "modified": "2025-02-26T00:32:11Z",
  "published": "2024-02-26T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0387"
    },
    {
      "type": "WEB",
      "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-237129-eds-4000-g4000-series-ip-forwarding-vulnerability?viewmode=0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.