Common Weakness Enumeration

CWE-15

Allowed

External Control of System or Configuration Setting

Abstraction: Base · Status: Incomplete

One or more system settings or configuration elements can be externally controlled by a user.

136 vulnerabilities reference this CWE, most recent first.

GHSA-X5JV-PXJQ-575R

Vulnerability from github – Published: 2024-04-01 12:30 – Updated: 2024-04-01 12:30
VLAI
Details

A configuration setting issue in seccenter.exe as used in Bitdefender Total Security, Bitdefender Internet Security, Bitdefender Antivirus Plus, Bitdefender Antivirus Free allows an attacker to change the product's expected behavior and potentially load a third-party library upon execution. This issue affects Total Security: 27.0.25.114; Internet Security: 27.0.25.114; Antivirus Plus: 27.0.25.114; Antivirus Free: 27.0.25.114.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15",
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-01T11:15:52Z",
    "severity": "HIGH"
  },
  "details": "A configuration setting issue in seccenter.exe as used in Bitdefender Total Security, Bitdefender Internet Security, Bitdefender Antivirus Plus, Bitdefender Antivirus Free allows an attacker to change the product\u0027s expected behavior and potentially load a third-party library upon execution. This issue affects Total Security: 27.0.25.114; Internet Security: 27.0.25.114; Antivirus Plus: 27.0.25.114; Antivirus Free: 27.0.25.114.",
  "id": "GHSA-x5jv-pxjq-575r",
  "modified": "2024-04-01T12:30:44Z",
  "published": "2024-04-01T12:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6154"
    },
    {
      "type": "WEB",
      "url": "https://bitdefender.com/support/security-advisories/local-privilege-escalation-in-bitdefender-total-security-va-11168"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X6H5-P8QF-9J76

Vulnerability from github – Published: 2026-06-02 00:31 – Updated: 2026-06-30 21:31
VLAI
Details

Dräger Infinity Delta, Delta XL, and Kappa patient monitors contain a denial-of-service vulnerability that allows remote attackers to cause the monitor to reboot by sending a malformed network packet. Attackers can repeatedly send malformed network packets to disrupt patient monitoring until the device falls back to default configuration and loses network connectivity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-01T22:16:17Z",
    "severity": "HIGH"
  },
  "details": "Dr\u00e4ger Infinity Delta, Delta XL, and Kappa patient monitors contain a denial-of-service vulnerability that allows remote attackers to cause the monitor to reboot by sending a malformed network packet. Attackers can repeatedly send malformed network packets to disrupt patient monitoring until the device falls back to default configuration and loses network connectivity.",
  "id": "GHSA-x6h5-p8qf-9j76",
  "modified": "2026-06-30T21:31:36Z",
  "published": "2026-06-02T00:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25716"
    },
    {
      "type": "WEB",
      "url": "https://static.draeger.com/security"
    },
    {
      "type": "WEB",
      "url": "https://static.draeger.com/security/download/2019-01-22-draeger-infinity-delta-vf10-1-security-advisory.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/dr-ger-infinity-delta-kappa-patient-monitor-dos-via-malformed-network-packet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XFXH-3P9C-MWW9

Vulnerability from github – Published: 2026-07-14 03:31 – Updated: 2026-07-14 03:31
VLAI
Details

SAP CRM WebClient UI allows an attacker to inject and execute malicious scripts in the context of the application due to the absence of a Content Security Policy (CSP) configuration for certain restrictive directives. This vulnerability has a low impact on the integrity of the application. Confidentiality and availability are not impacted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T01:16:18Z",
    "severity": "MODERATE"
  },
  "details": "SAP CRM WebClient UI allows an attacker to inject and execute malicious scripts in the context of the application due to the absence of a Content Security Policy (CSP) configuration for certain restrictive directives. This vulnerability has a low impact on the integrity of the application. Confidentiality and availability are not impacted.",
  "id": "GHSA-xfxh-3p9c-mww9",
  "modified": "2026-07-14T03:31:37Z",
  "published": "2026-07-14T03:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44768"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3155685"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XGF2-VXV2-RRMG

Vulnerability from github – Published: 2026-03-03 22:12 – Updated: 2026-03-30 13:37
VLAI
Summary
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
Details

Summary

system.run environment sanitization allowed shell-startup env overrides (HOME, ZDOTDIR) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.21-2 (latest published vulnerable version)
  • Planned patched version: >= 2026.2.22

Technical Details

In affected versions: - Env sanitization blocked many dangerous keys, but not startup-sensitive override keys (HOME, ZDOTDIR) in host exec env paths. - Shell-wrapper analysis for allowlist mode models command bodies, but not shell startup side effects. - Runtime execution used sanitized env, so attacker-provided startup-key overrides could run hidden startup payloads first.

Observed exploit vectors: - HOME + bash -lc + malicious .bash_profile - ZDOTDIR + zsh -c + malicious .zshenv

Fix Commit(s)

  • c2c7114ed39a547ab6276e1e933029b9530ee906

Release Process Note

patched_versions is pre-set to the planned next release (>= 2026.2.22). After the npm release is published, this advisory can be published directly.

OpenClaw thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T22:12:51Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n`system.run` environment sanitization allowed shell-startup env overrides (`HOME`, `ZDOTDIR`) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.21-2` (latest published vulnerable version)\n- Planned patched version: `\u003e= 2026.2.22`\n\n### Technical Details\nIn affected versions:\n- Env sanitization blocked many dangerous keys, but not startup-sensitive override keys (`HOME`, `ZDOTDIR`) in host exec env paths.\n- Shell-wrapper analysis for allowlist mode models command bodies, but not shell startup side effects.\n- Runtime execution used sanitized env, so attacker-provided startup-key overrides could run hidden startup payloads first.\n\nObserved exploit vectors:\n- `HOME` + `bash -lc` + malicious `.bash_profile`\n- `ZDOTDIR` + `zsh -c` + malicious `.zshenv`\n\n### Fix Commit(s)\n- `c2c7114ed39a547ab6276e1e933029b9530ee906`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`\u003e= 2026.2.22`). After the npm release is published, this advisory can be published directly.\n\nOpenClaw thanks @tdjackey for reporting.",
  "id": "GHSA-xgf2-vxv2-rrmg",
  "modified": "2026-03-30T13:37:58Z",
  "published": "2026-03-03T22:12:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32056"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shell-startup-environment-variable-injection-in-system-run"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s shell startup env injection bypasses system.run allowlist intent (RCE class)"
}

GHSA-XR7F-6R6V-CQMM

Vulnerability from github – Published: 2026-04-10 15:31 – Updated: 2026-04-10 15:31
VLAI
Details

Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (macOS) before build 42902.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-10T14:16:34Z",
    "severity": "HIGH"
  },
  "details": "Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (macOS) before build 42902.",
  "id": "GHSA-xr7f-6r6v-cqmm",
  "modified": "2026-04-10T15:31:57Z",
  "published": "2026-04-10T15:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33092"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-9407"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XXQC-MRQ8-7966

Vulnerability from github – Published: 2026-04-08 21:33 – Updated: 2026-05-07 18:30
VLAI
Details

An external control of configuration vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary file when a malicious configuration file is processed.  Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-30816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15",
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T19:25:20Z",
    "severity": "MODERATE"
  },
  "details": "An external control of configuration vulnerability in the OpenVPN module\u00a0of TP-Link AX53 v1.0\u00a0allows an authenticated adjacent attacker to read arbitrary file when a malicious configuration file is processed.\u00a0\nSuccessful\nexploitation may allow unauthorized access to arbitrary files on the device,\npotentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213.",
  "id": "GHSA-xxqc-mrq8-7966",
  "modified": "2026-05-07T18:30:32Z",
  "published": "2026-04-08T21:33:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30816"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2304"
    },
    {
      "type": "WEB",
      "url": "https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware"
    },
    {
      "type": "WEB",
      "url": "https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware"
    },
    {
      "type": "WEB",
      "url": "https://www.tp-link.com/us/support/faq/5055"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Implementation Architecture and Design

Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.

Mitigation
Implementation Architecture and Design

In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.

CAPEC-13: Subverting Environment Variable Values

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.

CAPEC-146: XML Schema Poisoning

An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.

CAPEC-176: Configuration/Environment Manipulation

An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.

CAPEC-203: Manipulate Registry Information

An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.

CAPEC-270: Modification of Registry Run Keys

An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.

CAPEC-271: Schema Poisoning

An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.

CAPEC-579: Replace Winlogon Helper DLL

Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.

CAPEC-69: Target Programs with Elevated Privileges

This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.