CWE-15
AllowedExternal Control of System or Configuration Setting
Abstraction: Base · Status: Incomplete
One or more system settings or configuration elements can be externally controlled by a user.
136 vulnerabilities reference this CWE, most recent first.
GHSA-VG63-W3P9-JC9M
Vulnerability from github – Published: 2025-03-25 00:30 – Updated: 2025-11-03 21:33A security issue was discovered in ingress-nginx where the mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/ingress-nginx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/ingress-nginx"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0-beta.0"
},
{
"fixed": "1.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-1098"
],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-25T15:06:43Z",
"nvd_published_at": "2025-03-25T00:15:14Z",
"severity": "HIGH"
},
"details": "A security issue was discovered in [ingress-nginx](https://github.com/kubernetes/ingress-nginx) where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)",
"id": "GHSA-vg63-w3p9-jc9m",
"modified": "2025-11-03T21:33:13Z",
"published": "2025-03-25T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1098"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/131008"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/ingress-nginx"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250328-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ingress-nginx controller - configuration injection via unsanitized mirror annotations"
}
GHSA-VMQR-RC7X-3446
Vulnerability from github – Published: 2026-03-03 18:54 – Updated: 2026-03-18 01:24When sort is explicitly added to tools.exec.safeBins (non-default), the --compress-program option can invoke an external helper and bypass the intended safe-bin approval constraints in allowlist mode.
Affected Packages / Versions
- Package:
openclaw(npm) - Vulnerable versions:
<=2026.2.21-2 - Latest published npm version checked during triage:
2026.2.21-2(as of February 22, 2026) - Patched in planned next release:
2026.2.22
Fix Commit(s)
57fbbaebca4d34d17549accf6092ae26eb7b605c
Release Process Note
patched_versions is pre-set to the planned next release (>=2026.2.22). Once that npm release is published, the advisory can be published directly.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22169"
],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T18:54:55Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "When `sort` is explicitly added to `tools.exec.safeBins` (non-default), the `--compress-program` option can invoke an external helper and bypass the intended safe-bin approval constraints in allowlist mode.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Vulnerable versions: `\u003c=2026.2.21-2`\n- Latest published npm version checked during triage: `2026.2.21-2` (as of February 22, 2026)\n- Patched in planned next release: `2026.2.22`\n\n## Fix Commit(s)\n\n- `57fbbaebca4d34d17549accf6092ae26eb7b605c`\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`\u003e=2026.2.22`). Once that npm release is published, the advisory can be published directly.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-vmqr-rc7x-3446",
"modified": "2026-03-18T01:24:57Z",
"published": "2026-03-03T18:54:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vmqr-rc7x-3446"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/57fbbaebca4d34d17549accf6092ae26eb7b605c"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw\u0027s non-default safeBins sort configuration can bypass intended allowlist approval constraints"
}
GHSA-VP64-77C6-33H8
Vulnerability from github – Published: 2025-09-15 18:31 – Updated: 2025-09-15 22:25Remote staging in Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly obtain the remote address of the live site from the database which, which allows remote authenticated users to exfiltrate data to an attacker controlled server (i.e., a fake “live site”) via the _com_liferay_exportimport_web_portlet_ExportImportPortlet_remoteAddress and _com_liferay_exportimport_web_portlet_ExportImportPortlet_remotePort parameters. To successfully exploit this vulnerability, an attacker must also successfully obtain the staging server’s shared secret and add the attacker controlled server to the staging server’s whitelist.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:com.liferay.portal.kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "130.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43792"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-15T22:25:10Z",
"nvd_published_at": "2025-09-15T17:15:34Z",
"severity": "LOW"
},
"details": "Remote staging in Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly obtain the remote address of the live site from the database which, which allows remote authenticated users to exfiltrate data to an attacker controlled server (i.e., a fake \u201clive site\u201d) via the _com_liferay_exportimport_web_portlet_ExportImportPortlet_remoteAddress and _com_liferay_exportimport_web_portlet_ExportImportPortlet_remotePort parameters. To successfully exploit this vulnerability, an attacker must also successfully obtain the staging server\u2019s shared secret and add the attacker controlled server to the staging server\u2019s whitelist.",
"id": "GHSA-vp64-77c6-33h8",
"modified": "2025-09-15T22:25:10Z",
"published": "2025-09-15T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43792"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43792"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal has External Control of System or Configuration Settings"
}
GHSA-VV9J-PVH3-XWG4
Vulnerability from github – Published: 2025-07-10 18:31 – Updated: 2025-07-10 18:31Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.
{
"affected": [],
"aliases": [
"CVE-2025-27889"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T17:15:46Z",
"severity": "LOW"
},
"details": "Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker.",
"id": "GHSA-vv9j-pvh3-xwg4",
"modified": "2025-07-10T18:31:27Z",
"published": "2025-07-10T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27889"
},
{
"type": "WEB",
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27889.txt"
},
{
"type": "WEB",
"url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812"
},
{
"type": "WEB",
"url": "https://www.wftpserver.com/wftpserver.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W9CG-V44M-4QV8
Vulnerability from github – Published: 2026-03-03 22:09 – Updated: 2026-03-03 22:09Summary
BASH_ENV / ENV startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.19-2 - Fixed on
main:2cdbadee1f8fcaa93302d7debbfc529e19868ea4 - Planned patched release version:
2026.2.21
Details
The fix hardens environment handling across all relevant execution paths: - Blocks dangerous startup/runtime env keys and prefixes in shared host env sanitization. - Sanitizes inherited ambient environment even when no per-request overrides are provided. - Blocks dangerous config-driven env injection before values enter process environment. - Uses the same sanitizer in macOS host execution paths. - Aligns skill env override sanitization with the shared dangerous-env policy.
Impact
Medium. Exploitation requires local/privileged influence over configuration or environment inputs; there is no standalone remote unauthenticated trigger from this issue alone.
Fix Commit(s)
2cdbadee1f8fcaa93302d7debbfc529e19868ea4
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.21). Once npm openclaw@2026.2.21 is published, the advisory can be published without further field edits.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T22:09:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n`BASH_ENV` / `ENV` startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.19-2`\n- Fixed on `main`: `2cdbadee1f8fcaa93302d7debbfc529e19868ea4`\n- Planned patched release version: `2026.2.21`\n\n### Details\nThe fix hardens environment handling across all relevant execution paths:\n- Blocks dangerous startup/runtime env keys and prefixes in shared host env sanitization.\n- Sanitizes inherited ambient environment even when no per-request overrides are provided.\n- Blocks dangerous config-driven env injection before values enter process environment.\n- Uses the same sanitizer in macOS host execution paths.\n- Aligns skill env override sanitization with the shared dangerous-env policy.\n\n### Impact\nMedium. Exploitation requires local/privileged influence over configuration or environment inputs; there is no standalone remote unauthenticated trigger from this issue alone.\n\n### Fix Commit(s)\n- `2cdbadee1f8fcaa93302d7debbfc529e19868ea4`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.21`). Once npm `openclaw@2026.2.21` is published, the advisory can be published without further field edits.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-w9cg-v44m-4qv8",
"modified": "2026-03-03T22:09:52Z",
"published": "2026-03-03T22:09:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/2cdbadee1f8fcaa93302d7debbfc529e19868ea4"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw affected by BASH_ENV / ENV startup-file injection into spawned shell commands"
}
GHSA-W9FX-47F2-7VFF
Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2025-04-16 00:31Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
{
"affected": [],
"aliases": [
"CVE-2025-30512"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T22:15:26Z",
"severity": "MODERATE"
},
"details": "Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).",
"id": "GHSA-w9fx-47f2-7vff",
"modified": "2025-04-16T00:31:38Z",
"published": "2025-04-16T00:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30512"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WC64-C5RV-32PF
Vulnerability from github – Published: 2023-05-11 20:47 – Updated: 2023-05-11 20:47Impact
The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification [1]. Among the files read is .in_totorc which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an .in_totorc file that includes the necessary exclude patterns and settings.
RC files are widely used in other systems [2] and security issues have been discovered in their implementations as well [3]. We found in our conversations with in-toto adopters that in_totorc is not their preferred way to configure in-toto. As none of the options supported in in_totorc is unique, and can be set elsewhere using API parameters or CLI arguments, we decided to drop support for in_totorc.
Other Recommendations
Sandbox functionary code as recommended in https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x.
References
[1] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html [2] https://spec.editorconfig.org/ [3] https://github.blog/2022-04-12-git-security-vulnerability-announced/
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.0"
},
"package": {
"ecosystem": "PyPI",
"name": "in-toto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32076"
],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-610"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-11T20:47:56Z",
"nvd_published_at": "2023-05-10T18:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification [1]. Among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings.\n\nRC files are widely used in other systems [2] and security issues have been discovered in their implementations as well [3]. We found in our conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or CLI arguments, we decided to drop support for `in_totorc`.\n\n### Other Recommendations\n\nSandbox functionary code as recommended in https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x.\n\n### References\n\n[1] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html\n[2] https://spec.editorconfig.org/\n[3] https://github.blog/2022-04-12-git-security-vulnerability-announced/\n",
"id": "GHSA-wc64-c5rv-32pf",
"modified": "2023-05-11T20:47:56Z",
"published": "2023-05-11T20:47:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x"
},
{
"type": "WEB",
"url": "https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32076"
},
{
"type": "WEB",
"url": "https://github.com/in-toto/in-toto/commit/3a21d84f40811b7d191fa7bd17265c1f99599afd"
},
{
"type": "PACKAGE",
"url": "https://github.com/in-toto/in-toto"
},
{
"type": "WEB",
"url": "https://github.com/in-toto/in-toto/releases/tag/v2.0.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/in-toto/PYSEC-2023-63.yaml"
},
{
"type": "WEB",
"url": "https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "in-toto vulnerable to Configuration Read From Local Directory"
}
GHSA-WH2C-VG4V-4Q9M
Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-11-04 00:32Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the ftp_name POST parameter.
{
"affected": [],
"aliases": [
"CVE-2024-39793"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T15:15:24Z",
"severity": "CRITICAL"
},
"details": "Multiple external config control vulnerabilities exist in the nas.cgi set_nas() proftpd functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the `ftp_name` POST parameter.",
"id": "GHSA-wh2c-vg4v-4q9m",
"modified": "2025-11-04T00:32:17Z",
"published": "2025-01-14T15:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39793"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-2053"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2053"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WMW7-JPM9-RMFF
Vulnerability from github – Published: 2026-04-08 21:33 – Updated: 2026-05-07 18:30An external configuration control vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary files when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213.
{
"affected": [],
"aliases": [
"CVE-2026-30817"
],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-610"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T19:25:20Z",
"severity": "MODERATE"
},
"details": "An external configuration control vulnerability in the OpenVPN module\u00a0of TP-Link AX53 v1.0\u00a0allows an authenticated adjacent attacker to read arbitrary files when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213.",
"id": "GHSA-wmw7-jpm9-rmff",
"modified": "2026-05-07T18:30:33Z",
"published": "2026-04-08T21:33:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30817"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2305"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/faq/5055"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WWR6-8P5G-FWF7
Vulnerability from github – Published: 2023-09-01 12:30 – Updated: 2023-09-01 12:30External Control of System or Configuration Setting in GitHub repository instantsoft/icms2 prior to 2.16.1-git.
{
"affected": [],
"aliases": [
"CVE-2023-4704"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-01T10:15:08Z",
"severity": "HIGH"
},
"details": "External Control of System or Configuration Setting in GitHub repository instantsoft/icms2 prior to 2.16.1-git.",
"id": "GHSA-wwr6-8p5g-fwf7",
"modified": "2023-09-01T12:30:44Z",
"published": "2023-09-01T12:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4704"
},
{
"type": "WEB",
"url": "https://github.com/instantsoft/icms2/commit/bc22d89691fdaf38055eba13dda8d959b16fa731"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/4a54134d-df1f-43d4-9b14-45f023cd654a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.
Mitigation
In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.
CAPEC-13: Subverting Environment Variable Values
The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.
CAPEC-146: XML Schema Poisoning
An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.
CAPEC-176: Configuration/Environment Manipulation
An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.
CAPEC-203: Manipulate Registry Information
An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.
CAPEC-270: Modification of Registry Run Keys
An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.
CAPEC-271: Schema Poisoning
An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.
CAPEC-579: Replace Winlogon Helper DLL
Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.
CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.