CWE-749
AllowedExposed Dangerous Method or Function
Abstraction: Base · Status: Incomplete
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
304 vulnerabilities reference this CWE, most recent first.
GHSA-XFP5-23MR-JWJM
Vulnerability from github – Published: 2025-07-17 21:32 – Updated: 2025-07-17 21:32GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous method that allows reading and modifying files when a user adds a crafted dictionary and then searches for any term included in that dictionary.
{
"affected": [],
"aliases": [
"CVE-2025-53964"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-17T20:15:30Z",
"severity": "CRITICAL"
},
"details": "GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous method that allows reading and modifying files when a user adds a crafted dictionary and then searches for any term included in that dictionary.",
"id": "GHSA-xfp5-23mr-jwjm",
"modified": "2025-07-17T21:32:16Z",
"published": "2025-07-17T21:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53964"
},
{
"type": "WEB",
"url": "https://github.com/goldendict/goldendict/releases"
},
{
"type": "WEB",
"url": "https://github.com/tigr78/CVE-2025-53964"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XGQ5-8XJQ-968V
Vulnerability from github – Published: 2025-07-01 15:31 – Updated: 2025-07-01 15:31A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial of service
{
"affected": [],
"aliases": [
"CVE-2025-37097"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-01T14:15:38Z",
"severity": "HIGH"
},
"details": "A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial of service",
"id": "GHSA-xgq5-8xjq-968v",
"modified": "2025-07-01T15:31:09Z",
"published": "2025-07-01T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37097"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04878en_us\u0026docLocale=en_US"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2025-15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XV6G-6G23-79W2
Vulnerability from github – Published: 2023-03-29 21:30 – Updated: 2023-04-06 15:30This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.3.101. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.
{
"affected": [],
"aliases": [
"CVE-2022-36983"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-29T19:15:00Z",
"severity": "CRITICAL"
},
"details": "This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.3.101. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.",
"id": "GHSA-xv6g-6g23-79w2",
"modified": "2023-04-06T15:30:18Z",
"published": "2023-03-29T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36983"
},
{
"type": "WEB",
"url": "https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-788"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XVPW-PP3C-GX2X
Vulnerability from github – Published: 2025-12-24 00:30 – Updated: 2025-12-24 00:30RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27677.
{
"affected": [],
"aliases": [
"CVE-2025-14495"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-23T22:15:50Z",
"severity": "HIGH"
},
"details": "RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27677.",
"id": "GHSA-xvpw-pp3c-gx2x",
"modified": "2025-12-24T00:30:16Z",
"published": "2025-12-24T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14495"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1169"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
Mitigation
Strategy: Attack Surface Reduction
- Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:
- Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
- accessible to all users
- restricted to a small set of privileged users
- prevented from being directly accessible at all
CAPEC-500: WebView Injection
An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.