CWE-358
AllowedImproperly Implemented Security Check for Standard
Abstraction: Base · Status: Draft
The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
197 vulnerabilities reference this CWE, most recent first.
GHSA-4MWC-55H2-WW8Q
Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-10-16 15:30Whale browser before 4.33.325.17 allows an attacker to bypass the Content Security Policy via a specific scheme in a dual-tab environment.
{
"affected": [],
"aliases": [
"CVE-2025-62585"
],
"database_specific": {
"cwe_ids": [
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T07:15:33Z",
"severity": "HIGH"
},
"details": "Whale browser before 4.33.325.17 allows an attacker to bypass the Content Security Policy via a specific scheme in a dual-tab environment.",
"id": "GHSA-4mwc-55h2-ww8q",
"modified": "2025-10-16T15:30:42Z",
"published": "2025-10-16T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62585"
},
{
"type": "WEB",
"url": "https://cve.naver.com/detail/cve-2025-62585.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4R99-7P57-XJR3
Vulnerability from github – Published: 2024-09-10 15:31 – Updated: 2024-09-10 15:31An improperly implemented security check for standard vulnerability [CWE-358] in FortiADC Web Application Firewall (WAF) 7.4.0 through 7.4.4, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions when cookie security policy is enabled may allow an attacker, under specific conditions, to retrieve the initial encrypted and signed cookie protected by the feature
{
"affected": [],
"aliases": [
"CVE-2024-36511"
],
"database_specific": {
"cwe_ids": [
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T15:15:16Z",
"severity": "LOW"
},
"details": "An improperly implemented security check for standard vulnerability [CWE-358] in FortiADC Web Application Firewall (WAF) 7.4.0 through 7.4.4, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions when cookie security policy is enabled may allow an attacker, under specific conditions, to retrieve the initial encrypted and signed cookie protected by the feature",
"id": "GHSA-4r99-7p57-xjr3",
"modified": "2024-09-10T15:31:05Z",
"published": "2024-09-10T15:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36511"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-22-256"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-594X-75RC-PH7R
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14IBM Security Access Manager for Web could allow a remote attacker to obtain sensitive information due to security misconfigurations.
{
"affected": [],
"aliases": [
"CVE-2016-3017"
],
"database_specific": {
"cwe_ids": [
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-01T20:59:00Z",
"severity": "HIGH"
},
"details": "IBM Security Access Manager for Web could allow a remote attacker to obtain sensitive information due to security misconfigurations.",
"id": "GHSA-594x-75rc-ph7r",
"modified": "2022-05-13T01:14:04Z",
"published": "2022-05-13T01:14:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3017"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21995519"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5952-327W-4PC5
Vulnerability from github – Published: 2022-05-17 02:41 – Updated: 2022-05-17 02:41Curam Universal Access in IBM Curam Social Program Management (SPM) 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.5 iFix5 allows remote attackers to obtain sensitive information about internal caseworker usernames via vectors related to a URL.
{
"affected": [],
"aliases": [
"CVE-2014-4843"
],
"database_specific": {
"cwe_ids": [
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-08T16:29:00Z",
"severity": "MODERATE"
},
"details": "Curam Universal Access in IBM Curam Social Program Management (SPM) 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.5 iFix5 allows remote attackers to obtain sensitive information about internal caseworker usernames via vectors related to a URL.",
"id": "GHSA-5952-327w-4pc5",
"modified": "2022-05-17T02:41:09Z",
"published": "2022-05-17T02:41:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4843"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21698548"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/73943"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5H6F-94QC-P3V7
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-08-06 00:00It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.
{
"affected": [],
"aliases": [
"CVE-2020-10743"
],
"database_specific": {
"cwe_ids": [
"CWE-1021",
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-02T11:15:00Z",
"severity": "MODERATE"
},
"details": "It was discovered that OpenShift Container Platform\u0027s (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP\u0027s distribution of Kibana, such as clickjacking.",
"id": "GHSA-5h6f-94qc-p3v7",
"modified": "2022-08-06T00:00:48Z",
"published": "2022-05-24T19:03:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10743"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:3727"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:4298"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2020-10743"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1834550"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5M75-XC7X-RG6M
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-08-06 00:00A flaw was found in the OpenShift web console, where the access token is stored in the browser's local storage. An attacker can use this flaw to get the access token via physical access, or an XSS attack on the victim's browser. This flaw affects openshift/console versions before openshift/console-4.
{
"affected": [],
"aliases": [
"CVE-2020-1761"
],
"database_specific": {
"cwe_ids": [
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-27T20:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the OpenShift web console, where the access token is stored in the browser\u0027s local storage. An attacker can use this flaw to get the access token via physical access, or an XSS attack on the victim\u0027s browser. This flaw affects openshift/console versions before openshift/console-4.",
"id": "GHSA-5m75-xc7x-rg6m",
"modified": "2022-08-06T00:00:47Z",
"published": "2022-05-24T19:03:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1761"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813788"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5RGQ-6CG5-CM5J
Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-10-16 15:30Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.
{
"affected": [],
"aliases": [
"CVE-2025-62583"
],
"database_specific": {
"cwe_ids": [
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T07:15:33Z",
"severity": "CRITICAL"
},
"details": "Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.",
"id": "GHSA-5rgq-6cg5-cm5j",
"modified": "2025-10-16T15:30:42Z",
"published": "2025-10-16T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62583"
},
{
"type": "WEB",
"url": "https://cve.naver.com/detail/cve-2025-62583.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5W43-PFC6-5944
Vulnerability from github – Published: 2024-08-06 18:30 – Updated: 2024-08-06 18:30Inappropriate implementation in Fullscreen in Google Chrome on Android prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2024-6995"
],
"database_specific": {
"cwe_ids": [
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T16:15:50Z",
"severity": "CRITICAL"
},
"details": "Inappropriate implementation in Fullscreen in Google Chrome on Android prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-5w43-pfc6-5944",
"modified": "2024-08-06T18:30:57Z",
"published": "2024-08-06T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6995"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/343938078"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5WRR-98HX-X2QX
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-08 18:31Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11122"
],
"database_specific": {
"cwe_ids": [
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:18Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-5wrr-98hx-x2qx",
"modified": "2026-06-08T18:31:44Z",
"published": "2026-06-05T00:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11122"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/501485453"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-76C5-FPFR-HGF7
Vulnerability from github – Published: 2022-09-30 00:00 – Updated: 2025-05-20 18:30SnapCenter versions prior to 4.7 shipped without Content Security Policy (CSP) implemented which could allow certain types of attacks that otherwise would be prevented.
{
"affected": [],
"aliases": [
"CVE-2022-38732"
],
"database_specific": {
"cwe_ids": [
"CWE-358"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-29T15:15:00Z",
"severity": "HIGH"
},
"details": "SnapCenter versions prior to 4.7 shipped without Content Security Policy (CSP) implemented which could allow certain types of attacks that otherwise would be prevented.",
"id": "GHSA-76c5-fpfr-hgf7",
"modified": "2025-05-20T18:30:47Z",
"published": "2022-09-30T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38732"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/NTAP-20220926-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.