Common Weakness Enumeration

CWE-358

Allowed

Improperly Implemented Security Check for Standard

Abstraction: Base · Status: Draft

The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.

197 vulnerabilities reference this CWE, most recent first.

GHSA-C29M-P6XF-PPGW

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-23T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.",
  "id": "GHSA-c29m-p6xf-ppgw",
  "modified": "2022-05-13T01:37:35Z",
  "published": "2022-05-13T01:37:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15091"
    },
    {
      "type": "WEB",
      "url": "https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101982"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C37Q-9VG5-CQHJ

Vulnerability from github – Published: 2025-02-07 03:32 – Updated: 2025-02-07 03:32
VLAI
Details

Microsoft Edge (Chromium-based) Spoofing Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-06T23:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Edge (Chromium-based) Spoofing Vulnerability",
  "id": "GHSA-c37q-9vg5-cqhj",
  "modified": "2025-02-07T03:32:02Z",
  "published": "2025-02-07T03:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21267"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C47Q-H9W3-RCWG

Vulnerability from github – Published: 2024-04-17 09:30 – Updated: 2024-07-03 18:34
VLAI
Details

Inappropriate implementation in Networks in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass mixed content policy via a crafted HTML page. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1068",
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-17T08:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "Inappropriate implementation in Networks in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass mixed content policy via a crafted HTML page. (Chromium security severity: Low)",
  "id": "GHSA-c47q-h9w3-rcwg",
  "modified": "2024-07-03T18:34:44Z",
  "published": "2024-04-17T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3845"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/323583084"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CC8C-62X7-QWJR

Vulnerability from github – Published: 2024-07-17 00:32 – Updated: 2024-08-01 15:32
VLAI
Details

Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-16T22:15:06Z",
    "severity": "HIGH"
  },
  "details": "Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-cc8c-62x7-qwjr",
  "modified": "2024-08-01T15:32:03Z",
  "published": "2024-07-17T00:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6772"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/346597059"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJW9-8435-H4Q5

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-04-02 21:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:13:08Z",
    "severity": "HIGH"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges.",
  "id": "GHSA-cjw9-8435-h4q5",
  "modified": "2026-04-02T21:31:42Z",
  "published": "2024-05-14T15:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27842"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120903"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214106"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214106"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/May/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CM7J-45W4-QF6V

Vulnerability from github – Published: 2025-12-08 09:30 – Updated: 2025-12-08 09:30
VLAI
Details

Vulnerability of improper criterion security check in the card module. Impact: Successful exploitation of this vulnerability may affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-08T08:15:53Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability of improper criterion security check in the card module. Impact: Successful exploitation of this vulnerability may affect availability.",
  "id": "GHSA-cm7j-45w4-qf6v",
  "modified": "2025-12-08T09:30:18Z",
  "published": "2025-12-08T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66323"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2025/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CMCR-7FQV-V785

Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47
VLAI
Details

In Flexense VX Search Enterprise v10.1.12, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9123.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-10T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Flexense VX Search Enterprise v10.1.12, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9123.",
  "id": "GHSA-cmcr-7fqv-v785",
  "modified": "2022-05-14T03:47:20Z",
  "published": "2022-05-14T03:47:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15662"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43451"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/145764/VX-Search-Enterprise-10.1.12-Denial-Of-Service.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CMWX-9M2H-X7V4

Vulnerability from github – Published: 2018-10-10 17:23 – Updated: 2024-09-03 21:31
VLAI
Summary
Ansible apt_key module does not properly verify key fingerprint
Details

A flaw was found in Ansible before version 2.2.0.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-8614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:32:07Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A flaw was found in Ansible before version 2.2.0.0. The `apt_key` module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.",
  "id": "GHSA-cmwx-9m2h-x7v4",
  "modified": "2024-09-03T21:31:19Z",
  "published": "2018-10-10T17:23:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8614"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible-modules-core/issues/5237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible-modules-core/pull/5353"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible-modules-core/pull/5357"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible-modules-core/commit/1182d1f0b76d56f3667e27987a10b9ec8f03357d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible-modules-core/commit/66d47c8149d84e52f64b7c4d1f340d45dca94d9c"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-cmwx-9m2h-x7v4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-37.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200227214450/https://www.securityfocus.com/bid/94108"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ansible apt_key module does not properly verify key fingerprint"
}

GHSA-CPQG-X3J4-HHV6

Vulnerability from github – Published: 2025-10-12 09:30 – Updated: 2025-10-12 09:30
VLAI
Details

HCL Unica Platform is impacted by misconfigured Content Security Policy (CSP). These can result in malicious resources getting loaded and browsers may come across certain types of attacks, such as cross-site scripting and clickjacking.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-12T08:15:40Z",
    "severity": "MODERATE"
  },
  "details": "HCL Unica Platform is impacted by misconfigured Content Security Policy (CSP).  These can result in malicious resources getting loaded and browsers may come across certain types of attacks, such as cross-site scripting and clickjacking.",
  "id": "GHSA-cpqg-x3j4-hhv6",
  "modified": "2025-10-12T09:30:54Z",
  "published": "2025-10-12T09:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31969"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124417"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQJV-5R3C-4HMG

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

A Violation of Secure Design Principles issue was discovered in Schneider Electric Modicon Modbus Protocol. The Modicon Modbus protocol has a session-related weakness making it susceptible to brute-force attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358",
      "CWE-657"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-30T03:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A Violation of Secure Design Principles issue was discovered in Schneider Electric Modicon Modbus Protocol. The Modicon Modbus protocol has a session-related weakness making it susceptible to brute-force attacks.",
  "id": "GHSA-cqjv-5r3c-4hmg",
  "modified": "2022-05-13T01:36:35Z",
  "published": "2022-05-13T01:36:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6032"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-101-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97562"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.