CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1252 vulnerabilities reference this CWE, most recent first.
GHSA-Q6Q8-2JWH-F6XX
Vulnerability from github – Published: 2022-03-20 00:00 – Updated: 2022-03-29 00:01Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
{
"affected": [],
"aliases": [
"CVE-2022-26267"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-18T23:15:00Z",
"severity": "HIGH"
},
"details": "Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.",
"id": "GHSA-q6q8-2jwh-f6xx",
"modified": "2022-03-29T00:01:32Z",
"published": "2022-03-20T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26267"
},
{
"type": "WEB",
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q72P-4W56-HX7H
Vulnerability from github – Published: 2022-07-22 00:00 – Updated: 2023-07-11 00:16An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.github.talelin:lin-cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-32430"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-11T00:16:48Z",
"nvd_published_at": "2022-07-21T16:15:00Z",
"severity": "HIGH"
},
"details": "An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.",
"id": "GHSA-q72p-4w56-hx7h",
"modified": "2023-07-11T00:16:48Z",
"published": "2022-07-22T00:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32430"
},
{
"type": "PACKAGE",
"url": "https://github.com/TaleLin/lin-cms-spring-boot"
},
{
"type": "WEB",
"url": "https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/resources/application.yml#L43"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20220721190946/https://www.mesec.cn/archives/277"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hardcoded JWT Token in Lin CMS Spring Boot"
}
GHSA-Q73X-XMPW-H2W6
Vulnerability from github – Published: 2022-02-13 00:00 – Updated: 2022-03-17 00:05Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-0117"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-12T00:15:00Z",
"severity": "MODERATE"
},
"details": "Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
"id": "GHSA-q73x-xmpw-h2w6",
"modified": "2022-03-17T00:05:36Z",
"published": "2022-02-13T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0117"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1115847"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q7W9-W25V-6WQM
Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-18 00:00The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch other users' data upon a successful login request.
{
"affected": [],
"aliases": [
"CVE-2022-38770"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-13T23:15:00Z",
"severity": "MODERATE"
},
"details": "The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch other users\u0027 data upon a successful login request.",
"id": "GHSA-q7w9-w25v-6wqm",
"modified": "2022-09-18T00:00:32Z",
"published": "2022-09-14T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38770"
},
{
"type": "WEB",
"url": "https://mojodat-vulnerabilities.netlify.app"
},
{
"type": "WEB",
"url": "https://transtek.com/mojodat-fixed-assets"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q7XV-26R5-C2H7
Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2022-08-27 00:00Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThemes WPide plugin <= 2.6 at WordPress.
{
"affected": [],
"aliases": [
"CVE-2022-35235"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-23T16:15:00Z",
"severity": "MODERATE"
},
"details": "Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThemes WPide plugin \u003c= 2.6 at WordPress.",
"id": "GHSA-q7xv-26r5-c2h7",
"modified": "2022-08-27T00:00:56Z",
"published": "2022-08-24T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35235"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wpide/wordpress-wpide-plugin-2-6-authenticated-arbitrary-file-read-vulnerability"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/wpide/#developers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q9GJ-HWHG-7F7H
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to obtain sensitive information or conduct denial of serivce attacks due to open ports. IBM X-Force ID: 201018.
{
"affected": [],
"aliases": [
"CVE-2021-29715"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-26T20:15:00Z",
"severity": "CRITICAL"
},
"details": "IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to obtain sensitive information or conduct denial of serivce attacks due to open ports. IBM X-Force ID: 201018.",
"id": "GHSA-q9gj-hwhg-7f7h",
"modified": "2022-07-13T00:01:17Z",
"published": "2022-05-24T19:12:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29715"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201018"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6483653"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC86-J87R-2654
Vulnerability from github – Published: 2022-05-13 00:00 – Updated: 2022-06-02 00:00Failure to verify the protocol in SMM may allow an attacker to control the protocol and modify SPI flash resulting in a potential arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2021-26317"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-12T19:15:00Z",
"severity": "HIGH"
},
"details": "Failure to verify the protocol in SMM may allow an attacker to control the protocol and modify SPI flash resulting in a potential arbitrary code execution.",
"id": "GHSA-qc86-j87r-2654",
"modified": "2022-06-02T00:00:39Z",
"published": "2022-05-13T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26317"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCCC-5FMC-RM5V
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-13 00:01There is an Information Disclosure Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.
{
"affected": [],
"aliases": [
"CVE-2021-22446"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-02T18:15:00Z",
"severity": "HIGH"
},
"details": "There is an Information Disclosure Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.",
"id": "GHSA-qccc-5fmc-rm5v",
"modified": "2022-07-13T00:01:09Z",
"published": "2022-05-24T19:09:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22446"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2021/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCPF-R4F6-XPVM
Vulnerability from github – Published: 2023-08-29 00:32 – Updated: 2024-04-04 07:14An issue was discovered in TechView LA-5570 Wireless Gateway 1.0.19_T53, allows physical attackers to gain escalated privileges via a telnet connection.
{
"affected": [],
"aliases": [
"CVE-2023-34725"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-28T22:15:08Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in TechView LA-5570 Wireless Gateway 1.0.19_T53, allows physical attackers to gain escalated privileges via a telnet connection.",
"id": "GHSA-qcpf-r4f6-xpvm",
"modified": "2024-04-04T07:14:53Z",
"published": "2023-08-29T00:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34725"
},
{
"type": "WEB",
"url": "https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725"
},
{
"type": "WEB",
"url": "https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/174553/TECHView-LA5570-Wireless-Gateway-1.0.19_T53-Traversal-Privilege-Escalation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCQ8-MGFX-4PFJ
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow
{
"affected": [],
"aliases": [
"CVE-2021-29280"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-19T16:15:00Z",
"severity": "MODERATE"
},
"details": "In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow",
"id": "GHSA-qcq8-mgfx-4pfj",
"modified": "2022-05-24T19:11:40Z",
"published": "2022-05-24T19:11:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29280"
},
{
"type": "WEB",
"url": "https://github.com/deadlysnowman3308/upgraded-ARP-Poisoning"
},
{
"type": "WEB",
"url": "https://hackingvila.wordpress.com/2021/04/28/upgraded-arp-poisoning-tool"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.