Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-VVRW-6H2V-CMMV

Vulnerability from github – Published: 2023-08-10 15:30 – Updated: 2024-04-04 06:48
VLAI
Details

An information leak in PHPJabbers Yacht Listing Script v1.0 allows attackers to export clients' credit card numbers from the Reservations module.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-10T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "An information leak in PHPJabbers Yacht Listing Script v1.0 allows attackers to export clients\u0027 credit card numbers from the Reservations module.",
  "id": "GHSA-vvrw-6h2v-cmmv",
  "modified": "2024-04-04T06:48:31Z",
  "published": "2023-08-10T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38830"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40milfortutz/multiple-vulnerabilities-in-phpjabbers-part-2-4fa5e2ccfe2e"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@milfortutz/multiple-vulnerabilities-in-phpjabbers-part-2-4fa5e2ccfe2e"
    },
    {
      "type": "WEB",
      "url": "https://www.phpjabbers.com/yacht-listing-script"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVVP-C6HW-M8PJ

Vulnerability from github – Published: 2024-06-20 12:31 – Updated: 2025-09-17 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: fix information leakage in /proc/net/ptype

In one net namespace, after creating a packet socket without binding it to a device, users in other net namespaces can observe the new packet_type added by this packet socket by reading /proc/net/ptype file. This is minor information leakage as packet socket is namespace aware.

Add a net pointer in packet_type to keep the net namespace of of corresponding packet socket. In ptype_seq_show, this net pointer must be checked when it is not NULL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T12:15:13Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix information leakage in /proc/net/ptype\n\nIn one net namespace, after creating a packet socket without binding\nit to a device, users in other net namespaces can observe the new\n`packet_type` added by this packet socket by reading `/proc/net/ptype`\nfile. This is minor information leakage as packet socket is\nnamespace aware.\n\nAdd a net pointer in `packet_type` to keep the net namespace of\nof corresponding packet socket. In `ptype_seq_show`, this net pointer\nmust be checked when it is not NULL.",
  "id": "GHSA-vvvp-c6hw-m8pj",
  "modified": "2025-09-17T18:31:14Z",
  "published": "2024-06-20T12:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48757"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47934e06b65637c88a762d9c98329ae6e3238888"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/839ec7039513a4f84bfbaff953a9393471176bee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f88c78d24f6f346919007cd459fd7e51a8c7779"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b67ad6170c0ea87391bb253f35d1f78857736e54"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/be1ca30331c7923c6f376610c1bd6059be9b1908"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c38023032a598ec6263e008d62c7f02def72d5c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db044d97460ea792110eb8b971e82569ded536c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e372ecd455b6ebc7720f52bf4b5f5d44d02f2092"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e43669c77cb3a742b7d84ecdc7c68c4167a7709b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVWG-MM2Q-WVGR

Vulnerability from github – Published: 2022-04-29 00:00 – Updated: 2022-05-06 00:00
VLAI
Details

In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-28T10:15:00Z",
    "severity": "LOW"
  },
  "details": "In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible",
  "id": "GHSA-vvwg-mm2q-wvgr",
  "modified": "2022-05-06T00:00:55Z",
  "published": "2022-04-29T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29820"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VW2X-RP6V-F32F

Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2022-08-16 00:00
VLAI
Details

VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can create and leak hex dumps, leading to information disclosure. Successful exploitation can lead to a remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can create and leak hex dumps, leading to information disclosure. Successful exploitation can lead to a remote code execution.",
  "id": "GHSA-vw2x-rp6v-f32f",
  "modified": "2022-08-16T00:00:24Z",
  "published": "2022-08-11T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31673"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2022-0022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VW84-HPRM-CXMM

Vulnerability from github – Published: 2025-10-31 21:24 – Updated: 2025-10-31 21:24
VLAI
Summary
Agno session state overwrites between different sessions/users
Details

Impact

Under certain conditions (under high concurrency), when session_state is passed to an Agent or Team during run or arun calls, a race condition can occur, causing a session_state to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user.

Patches

This has been patched in version 2.2.2. Upgrade with pip install -U agno.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "agno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-31T21:24:53Z",
    "nvd_published_at": "2025-10-31T15:15:43Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nUnder certain conditions (under high concurrency), when `session_state` is passed to an Agent or Team during run or arun calls, a race condition can occur, causing a `session_state` to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user.\n\n### Patches\nThis has been patched in version 2.2.2. Upgrade with `pip install -U agno`.",
  "id": "GHSA-vw84-hprm-cxmm",
  "modified": "2025-10-31T21:24:53Z",
  "published": "2025-10-31T21:24:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/agno-agi/agno/security/advisories/GHSA-vw84-hprm-cxmm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64168"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/agno-agi/agno"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Agno session state overwrites between different sessions/users"
}

GHSA-VWFH-HRM2-8Q9H

Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-20 00:00
VLAI
Details

Browse restriction bypass vulnerability in Scheduler of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Scheduler.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-18T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Browse restriction bypass vulnerability in Scheduler of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Scheduler.",
  "id": "GHSA-vwfh-hrm2-8q9h",
  "modified": "2022-08-20T00:00:57Z",
  "published": "2022-08-19T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25986"
    },
    {
      "type": "WEB",
      "url": "https://cs.cybozu.co.jp/2022/007584.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN20573662/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VWXH-HR5C-V523

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

An Arbitrary Address Write issue in the Autodesk DWG application can allow a malicious user to leverage the application to write in unexpected paths. In order to exploit this the attacker would need the victim to enable full page heap in the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-25T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Arbitrary Address Write issue in the Autodesk DWG application can allow a malicious user to leverage the application to write in unexpected paths. In order to exploit this the attacker would need the victim to enable full page heap in the application.",
  "id": "GHSA-vwxh-hr5c-v523",
  "modified": "2022-05-24T19:06:19Z",
  "published": "2022-05-24T19:06:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27043"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0007"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-470"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VX2P-M3J3-FJ93

Vulnerability from github – Published: 2022-05-13 00:00 – Updated: 2022-06-02 00:00
VLAI
Details

A malicious or compromised User Application (UApp) or AGESA Boot Loader (ABL) could be used by an attacker to exfiltrate arbitrary memory from the ASP stage 2 bootloader potentially leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-12T18:16:00Z",
    "severity": "MODERATE"
  },
  "details": "A malicious or compromised User Application (UApp) or AGESA Boot Loader (ABL) could be used by an attacker to exfiltrate arbitrary memory from the ASP stage 2 bootloader potentially leading to information disclosure.",
  "id": "GHSA-vx2p-m3j3-fj93",
  "modified": "2022-06-02T00:00:26Z",
  "published": "2022-05-13T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26361"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VXF8-WWPW-PHXG

Vulnerability from github – Published: 2023-05-12 12:30 – Updated: 2024-03-21 03:35
VLAI
Details

An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to access sensitive information via the EXE installer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-12T11:15:12Z",
    "severity": "MODERATE"
  },
  "details": "An issue found in Webroot SecureAnywhere Endpoint Protection CE 23.1 v.9.0.33.39 and before allows a local attacker to access sensitive information via the EXE installer.",
  "id": "GHSA-vxf8-wwpw-phxg",
  "modified": "2024-03-21T03:35:15Z",
  "published": "2023-05-12T12:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29820"
    },
    {
      "type": "WEB",
      "url": "https://www.spenceralessi.com/CVEs/2023-05-10-Webroot-SecureAnywhere"
    },
    {
      "type": "WEB",
      "url": "http://secureanywhere.com"
    },
    {
      "type": "WEB",
      "url": "http://webroot.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VXJH-JV72-7244

Vulnerability from github – Published: 2023-08-31 18:30 – Updated: 2023-08-31 18:30
VLAI
Details

Sensitive information disclosure due to excessive collection of system information. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 30991, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-31T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive information disclosure due to excessive collection of system information. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 30991, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.",
  "id": "GHSA-vxjh-jv72-7244",
  "modified": "2023-08-31T18:30:28Z",
  "published": "2023-08-31T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41745"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-2008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.