CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-QVPM-G7WJ-8G8G
Vulnerability from github – Published: 2022-03-22 00:00 – Updated: 2026-07-05 03:30BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control.
{
"affected": [],
"aliases": [
"CVE-2022-23345"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-21T20:15:00Z",
"severity": "HIGH"
},
"details": "BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control.",
"id": "GHSA-qvpm-g7wj-8g8g",
"modified": "2026-07-05T03:30:46Z",
"published": "2022-03-22T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23345"
},
{
"type": "WEB",
"url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23345"
},
{
"type": "WEB",
"url": "https://www.bigantsoft.com"
},
{
"type": "WEB",
"url": "http://bigant.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QVXP-WQPJ-8GWF
Vulnerability from github – Published: 2022-03-12 00:00 – Updated: 2022-03-19 00:01Improper access control vulnerability in McAfee WebAdvisor Chrome and Edge browser extensions up to 8.1.0.1895 allows a remote attacker to gain access to McAfee WebAdvisor settings and other details about the user’s system. This could lead to unexpected behaviors including; settings being changed, fingerprinting of the system leading to targeted scams, and not triggering the malicious software if McAfee software is detected.
{
"affected": [],
"aliases": [
"CVE-2022-0815"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T23:15:00Z",
"severity": "HIGH"
},
"details": "Improper access control vulnerability in McAfee WebAdvisor Chrome and Edge browser extensions up to 8.1.0.1895 allows a remote attacker to gain access to McAfee WebAdvisor settings and other details about the user\u2019s system. This could lead to unexpected behaviors including; settings being changed, fingerprinting of the system leading to targeted scams, and not triggering the malicious software if McAfee software is detected.",
"id": "GHSA-qvxp-wqpj-8gwf",
"modified": "2022-03-19T00:01:23Z",
"published": "2022-03-12T00:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0815"
},
{
"type": "WEB",
"url": "https://service.mcafee.com/?articleId=TS103273\u0026page=shell\u0026shell=article-view"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QW42-C99X-MHGJ
Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2022-02-24 00:01Splashtop Streamer through 3.4.8.3 creates a Temporary File in a Directory with Insecure Permissions.
{
"affected": [],
"aliases": [
"CVE-2021-42712"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-15T14:15:00Z",
"severity": "HIGH"
},
"details": "Splashtop Streamer through 3.4.8.3 creates a Temporary File in a Directory with Insecure Permissions.",
"id": "GHSA-qw42-c99x-mhgj",
"modified": "2022-02-24T00:01:09Z",
"published": "2022-02-16T00:01:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42712"
},
{
"type": "WEB",
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0007/MNDT-2022-0007.md"
},
{
"type": "WEB",
"url": "https://www.splashtop.com/security"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QW6V-CQCW-98JC
Vulnerability from github – Published: 2023-09-15 03:30 – Updated: 2024-01-25 18:30A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) message processing feature of Cisco Jabber could allow an authenticated, remote attacker to manipulate the content of XMPP messages that are used by the affected application. This vulnerability is due to the improper handling of nested XMPP messages within requests that are sent to the Cisco Jabber client software. An attacker could exploit this vulnerability by connecting to an XMPP messaging server and sending crafted XMPP messages to an affected Jabber client. A successful exploit could allow the attacker to manipulate the content of XMPP messages, possibly allowing the attacker to cause the Jabber client application to perform unsafe actions.
{
"affected": [],
"aliases": [
"CVE-2022-20917"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-15T03:15:07Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) message processing feature of Cisco Jabber could allow an authenticated, remote attacker to manipulate the content of XMPP messages that are used by the affected application.\n This vulnerability is due to the improper handling of nested XMPP messages within requests that are sent to the Cisco Jabber client software. An attacker could exploit this vulnerability by connecting to an XMPP messaging server and sending crafted XMPP messages to an affected Jabber client. A successful exploit could allow the attacker to manipulate the content of XMPP messages, possibly allowing the attacker to cause the Jabber client application to perform unsafe actions.",
"id": "GHSA-qw6v-cqcw-98jc",
"modified": "2024-01-25T18:30:44Z",
"published": "2023-09-15T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20917"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-xmpp-Ne9SCM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QW79-R33F-9PVJ
Vulnerability from github – Published: 2026-06-03 00:30 – Updated: 2026-06-03 21:30Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise software integrity via USB interface manipulation. Attackers can exploit the unprotected USB interfaces to impair therapy functions, manipulate device-processed data, or leverage the device as a pivot point for broader network-based attacks when connected to a network or Dräger Service Connect.
{
"affected": [],
"aliases": [
"CVE-2025-15653"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-02T22:16:15Z",
"severity": "HIGH"
},
"details": "Dr\u00e4ger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise software integrity via USB interface manipulation. Attackers can exploit the unprotected USB interfaces to impair therapy functions, manipulate device-processed data, or leverage the device as a pivot point for broader network-based attacks when connected to a network or Dr\u00e4ger Service Connect.",
"id": "GHSA-qw79-r33f-9pvj",
"modified": "2026-06-03T21:30:28Z",
"published": "2026-06-03T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15653"
},
{
"type": "WEB",
"url": "https://static.draeger.com/security/download/Product-Security-Advisory-25-349-Zeus.pdf"
},
{
"type": "WEB",
"url": "https://www.draeger.com/security"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/dr-ger-zeus-ie-anesthesia-workstation-usb-interface-privilege-escalation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QWWV-HC99-6F5P
Vulnerability from github – Published: 2026-06-19 00:31 – Updated: 2026-06-19 00:31PraisonAI before 1.5.115 contains an information disclosure vulnerability in the MultiAgentLedger component that allows attackers to access sensitive data by registering agents with duplicate IDs. Attackers can exploit the lack of agent ID uniqueness enforcement to share ledger instances and expose system prompts and conversation history between agents.
{
"affected": [],
"aliases": [
"CVE-2026-56077"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-18T23:16:19Z",
"severity": "HIGH"
},
"details": "PraisonAI before 1.5.115 contains an information disclosure vulnerability in the MultiAgentLedger component that allows attackers to access sensitive data by registering agents with duplicate IDs. Attackers can exploit the lack of agent ID uniqueness enforcement to share ledger instances and expose system prompts and conversation history between agents.",
"id": "GHSA-qwwv-hc99-6f5p",
"modified": "2026-06-19T00:31:37Z",
"published": "2026-06-19T00:31:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-766v-q9x3-g744"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56077"
},
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/praisonai-information-disclosure-via-shared-multiagentledger-state"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QX39-7CF8-2GF6
Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-16 00:00Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality.
{
"affected": [],
"aliases": [
"CVE-2021-40012"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T14:15:00Z",
"severity": "HIGH"
},
"details": "Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality.",
"id": "GHSA-qx39-7cf8-2gf6",
"modified": "2022-07-16T00:00:21Z",
"published": "2022-07-13T00:01:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40012"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/7"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/8"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202208-0000001363876177"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QX73-VWH5-XJPC
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-07 00:00A CWE-668 Exposure of Resource to Wrong Sphere vulnerability exists that could cause users to be misled, hiding alarms, showing the wrong server connection option or the wrong control request when a mobile device has been compromised by a malicious application. Affected Product: Geo SCADA Mobile (Build 222 and prior)
{
"affected": [],
"aliases": [
"CVE-2022-32530"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T13:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-668 Exposure of Resource to Wrong Sphere vulnerability exists that could cause users to be misled, hiding alarms, showing the wrong server connection option or the wrong control request when a mobile device has been compromised by a malicious application. Affected Product: Geo SCADA Mobile (Build 222 and prior)",
"id": "GHSA-qx73-vwh5-xjpc",
"modified": "2022-07-07T00:00:25Z",
"published": "2022-06-25T00:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32530"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-02_Geo_SCADA_Android_App_Security_Notification.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QX9H-HX3F-JR6W
Vulnerability from github – Published: 2023-06-06 18:30 – Updated: 2024-04-04 04:36Landscape's server-status page exposed sensitive system information. This data leak included GET requests which contain information to attack and leak further information from the Landscape API.
{
"affected": [],
"aliases": [
"CVE-2023-32550"
],
"database_specific": {
"cwe_ids": [
"CWE-497",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-06T16:15:10Z",
"severity": "HIGH"
},
"details": "Landscape\u0027s server-status page exposed sensitive system information. This data leak included GET requests which contain information to attack and leak further information from the Landscape API.",
"id": "GHSA-qx9h-hx3f-jr6w",
"modified": "2024-04-04T04:36:06Z",
"published": "2023-06-06T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32550"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/landscape/+bug/1929037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QXXC-7MQ4-MF79
Vulnerability from github – Published: 2023-01-12 06:30 – Updated: 2023-01-20 22:03Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.util:java-merge-sort"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24913"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-12T20:55:23Z",
"nvd_published_at": "2023-01-12T05:15:00Z",
"severity": "MODERATE"
},
"details": "Versions of the package `com.fasterxml.util:java-merge-sort` before 1.1.0 are vulnerable to Insecure Temporary File in the `StdTempFileProvider()` function in `StdTempFileProvider.java`, which uses the permissive `File.createTempFile()` function, exposing temporary file contents.",
"id": "GHSA-qxxc-7mq4-mf79",
"modified": "2023-01-20T22:03:35Z",
"published": "2023-01-12T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24913"
},
{
"type": "WEB",
"url": "https://github.com/cowtowncoder/java-merge-sort/pull/21"
},
{
"type": "WEB",
"url": "https://github.com/cowtowncoder/java-merge-sort/commit/450fdee70b5f181c2afc5d817f293efa1a543902"
},
{
"type": "PACKAGE",
"url": "https://github.com/cowtowncoder/java-merge-sort"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLUTIL-3227926"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Java Merge-sort Insecure Temporary File vulnerability"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.