CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-24WW-MC5X-XC43
Vulnerability from github – Published: 2021-05-07 15:54 – Updated: 2021-05-05 19:22In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "3.11.0"
},
{
"fixed": "3.11.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cassandra:cassandra-all"
},
"ranges": [
{
"events": [
{
"introduced": "4.0-beta1"
},
{
"fixed": "4.0-beta2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.0-beta1"
]
}
],
"aliases": [
"CVE-2020-13946"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T19:22:12Z",
"nvd_published_at": "2020-09-01T21:15:00Z",
"severity": "MODERATE"
},
"details": "In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.",
"id": "GHSA-24ww-mc5x-xc43",
"modified": "2021-05-05T19:22:12Z",
"published": "2021-05-07T15:54:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13946"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1fd117082b992e7d43c1286e966c285f98aa362e685695d999ff42f7@%3Cuser.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r718e01f61b35409a4f7a3ccbc1cb5136a1558a9f9c2cb8d4ca9be1ce@%3Cuser.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rab8d90d28f944d84e4d7852f355a25c89451ae02c2decc4d355a9cfc@%3Cuser.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rcd7544b24d8fc32b7950ec4c117052410b661babaa857fb1fc641152%40%3Cuser.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210521-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Man-in-the-middle attack in Apache Cassandra"
}
GHSA-254C-2J77-4HHM
Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-07-09 00:00IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14 could allow a remote attacker to gain details of the database, such as type and version, by sending a specially-crafted HTTP request. This information could then be used in future attacks. IBM X-Force ID: 226940.
{
"affected": [],
"aliases": [
"CVE-2022-22494"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-30T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14 could allow a remote attacker to gain details of the database, such as type and version, by sending a specially-crafted HTTP request. This information could then be used in future attacks. IBM X-Force ID: 226940.",
"id": "GHSA-254c-2j77-4hhm",
"modified": "2022-07-09T00:00:25Z",
"published": "2022-07-01T00:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22494"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/226940"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6596883"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-258J-HJX4-W4M2
Vulnerability from github – Published: 2022-05-21 00:01 – Updated: 2022-06-01 00:00Multi Store Inventory Management System v1.0 was discovered to contain an information disclosure vulnerability which allows attackers to access sensitive files.
{
"affected": [],
"aliases": [
"CVE-2022-28991"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-20T13:15:00Z",
"severity": "HIGH"
},
"details": "Multi Store Inventory Management System v1.0 was discovered to contain an information disclosure vulnerability which allows attackers to access sensitive files.",
"id": "GHSA-258j-hjx4-w4m2",
"modified": "2022-06-01T00:00:33Z",
"published": "2022-05-21T00:01:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28991"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/166590/Multi-Store-Inventory-Management-System-1.0-Information-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-25GJ-GFHX-XWGH
Vulnerability from github – Published: 2023-11-02 18:30 – Updated: 2023-11-02 18:30A vulnerability has been identified in PT-G503 Series versions prior to v5.2, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.
{
"affected": [],
"aliases": [
"CVE-2023-4217"
],
"database_specific": {
"cwe_ids": [
"CWE-1004",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-02T17:15:11Z",
"severity": "LOW"
},
"details": "A vulnerability has been identified in PT-G503 Series versions prior to v5.2, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.\n\n",
"id": "GHSA-25gj-gfhx-xwgh",
"modified": "2023-11-02T18:30:25Z",
"published": "2023-11-02T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4217"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230203-pt-g503-series-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-25HM-2VQM-695W
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-07-13 00:01Possible information exposure and denial of service due to NAS not dropping messages when integrity check fails in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
{
"affected": [],
"aliases": [
"CVE-2021-30284"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-12T07:15:00Z",
"severity": "HIGH"
},
"details": "Possible information exposure and denial of service due to NAS not dropping messages when integrity check fails in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables",
"id": "GHSA-25hm-2vqm-695w",
"modified": "2022-07-13T00:01:20Z",
"published": "2022-05-24T19:20:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30284"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/november-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25XC-JWFQ-39JW
Vulnerability from github – Published: 2021-04-19 14:50 – Updated: 2022-08-15 20:03Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
- https://vaadin.com/security/cve-2021-31407
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.4.7"
},
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "2.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.0.0"
]
}
],
"aliases": [
"CVE-2021-31407"
],
"database_specific": {
"cwe_ids": [
"CWE-402",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-16T23:15:42Z",
"nvd_published_at": "2021-04-23T16:15:00Z",
"severity": "HIGH"
},
"details": "Vulnerability in OSGi integration in `com.vaadin:flow-server` versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.\n\n- https://vaadin.com/security/cve-2021-31407",
"id": "GHSA-25xc-jwfq-39jw",
"modified": "2022-08-15T20:03:44Z",
"published": "2021-04-19T14:50:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/security/advisories/GHSA-25xc-jwfq-39jw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31407"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/pull/10269"
},
{
"type": "PACKAGE",
"url": "https://github.com/vaadin/flow"
},
{
"type": "WEB",
"url": "https://vaadin.com/security/cve-2021-31407"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OSGi applications using Vaadin 12-14 and 19 vulnerable to server classes and resources exposure"
}
GHSA-269Q-HMXG-M83Q
Vulnerability from github – Published: 2022-05-10 08:46 – Updated: 2022-05-10 08:46Description
GHSA-5mcr-gq6c-3hq2 (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.
Impact
When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.
This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.
Vulnerability Details
To fix the vulnerability the code was changed to the following:
@SuppressJava6Requirement(reason = "Guarded by version check")
public static File createTempFile(String prefix, String suffix, File directory) throws IOException {
if (javaVersion() >= 7) {
if (directory == null) {
return Files.createTempFile(prefix, suffix).toFile();
}
return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();
}
if (directory == null) {
return File.createTempFile(prefix, suffix);
}
File file = File.createTempFile(prefix, suffix, directory);
// Try to adjust the perms, if this fails there is not much else we can do...
file.setReadable(false, false);
file.setReadable(true, true);
return file;
}
Unfortunately, this logic path was left vulnerable:
if (directory == null) {
return File.createTempFile(prefix, suffix);
}
This file is still readable by all local users.
Patches
Update to 4.1.77.Final
Workarounds
Specify your own java.io.tmpdir when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user or update to Java 7 or above.
References
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-379: Creation of Temporary File in Directory with Insecure Permissions
For more information
If you have any questions or comments about this advisory:
Open an issue in netty
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.76.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-http"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.77.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24823"
],
"database_specific": {
"cwe_ids": [
"CWE-378",
"CWE-379",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-10T08:46:50Z",
"nvd_published_at": "2022-05-06T12:15:00Z",
"severity": "MODERATE"
},
"details": "### Description ###\n[GHSA-5mcr-gq6c-3hq2](https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2) (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.\n\n### Impact ###\n\nWhen netty\u0027s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.\n\nThis only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\n### Vulnerability Details ###\n\nTo fix the vulnerability the code was changed to the following:\n\n```java\n @SuppressJava6Requirement(reason = \"Guarded by version check\")\n public static File createTempFile(String prefix, String suffix, File directory) throws IOException {\n if (javaVersion() \u003e= 7) {\n if (directory == null) {\n return Files.createTempFile(prefix, suffix).toFile();\n }\n return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();\n }\n if (directory == null) {\n return File.createTempFile(prefix, suffix);\n }\n File file = File.createTempFile(prefix, suffix, directory);\n // Try to adjust the perms, if this fails there is not much else we can do...\n file.setReadable(false, false);\n file.setReadable(true, true);\n return file;\n }\n```\n\nUnfortunately, this logic path was left vulnerable:\n\n```java\n if (directory == null) {\n return File.createTempFile(prefix, suffix);\n }\n```\n\nThis file is still readable by all local users.\n\n### Patches ###\n\nUpdate to 4.1.77.Final\n\n### Workarounds ###\n\nSpecify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user or update to Java 7 or above.\n\n### References ###\n\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n\n### For more information ###\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [netty](https://github.com/netty/netty)\n",
"id": "GHSA-269q-hmxg-m83q",
"modified": "2022-05-10T08:46:50Z",
"published": "2022-05-10T08:46:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q"
},
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823"
},
{
"type": "WEB",
"url": "https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220616-0004"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Local Information Disclosure Vulnerability in io.netty:netty-codec-http"
}
GHSA-26FG-V32R-H663
Vulnerability from github – Published: 2023-11-09 21:30 – Updated: 2023-11-17 21:58H5P metadata automatically populated the author with the user's username, which could be sensitive information.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0-rc2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-5545"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-10T00:41:16Z",
"nvd_published_at": "2023-11-09T20:15:09Z",
"severity": "MODERATE"
},
"details": "H5P metadata automatically populated the author with the user\u0027s username, which could be sensitive information.",
"id": "GHSA-26fg-v32r-h663",
"modified": "2023-11-17T21:58:46Z",
"published": "2023-11-09T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5545"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/100ac7c6467a7de2c05713a0a924984ff1593d53"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243444"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=451586"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-78820"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability"
}
GHSA-26HM-C7GJ-Q5MP
Vulnerability from github – Published: 2021-12-30 00:00 – Updated: 2022-10-27 19:00Emuse - eServices / eNvoice Exposure Of Private Personal Information due to lack of identification mechanisms and predictable IDs an attacker can scrape all the files on the service.
{
"affected": [],
"aliases": [
"CVE-2021-36723"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-29T15:15:00Z",
"severity": "HIGH"
},
"details": "Emuse - eServices / eNvoice Exposure Of Private Personal Information due to lack of identification mechanisms and predictable IDs an attacker can scrape all the files on the service.",
"id": "GHSA-26hm-c7gj-q5mp",
"modified": "2022-10-27T19:00:31Z",
"published": "2021-12-30T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36723"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-26RP-X6JF-5QX8
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2022-07-13 00:01The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows Information Disclosure of application registration data.
{
"affected": [],
"aliases": [
"CVE-2021-36791"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-13T17:15:00Z",
"severity": "MODERATE"
},
"details": "The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows Information Disclosure of application registration data.",
"id": "GHSA-26rp-x6jf-5qx8",
"modified": "2022-07-13T00:01:31Z",
"published": "2022-05-24T22:01:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36791"
},
{
"type": "WEB",
"url": "https://typo3.org/help/security-advisories/security"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2021-013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.