VYPR

CWE-1188

Initialization of a Resource with an Insecure Default

BaseIncomplete

Description

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (144)

page 8 of 8
  • CVE-2020-7729Sep 3, 2020
    risk 0.00cvss epss 0.02

    The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

  • CVE-2020-7685Jul 28, 2020
    risk 0.00cvss epss 0.01

    This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend…

  • CVE-2020-8828Apr 8, 2020
    risk 0.00cvss epss 0.02

    As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are…

  • CVE-2013-2030Dec 27, 2013
    risk 0.00cvss epss 0.00

    keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using…