CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-R44W-PFX8-28JV
Vulnerability from github – Published: 2022-12-14 21:30 – Updated: 2025-04-21 22:51An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Data about subscribers may be obtained via unsubscribeAction operations.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "fixpunkt/fp-newsletter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "fixpunkt/fp-newsletter"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "fixpunkt/fp-newsletter"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-47411"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-21T22:51:45Z",
"nvd_published_at": "2022-12-14T21:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Data about subscribers may be obtained via unsubscribeAction operations.",
"id": "GHSA-r44w-pfx8-28jv",
"modified": "2025-04-21T22:51:45Z",
"published": "2022-12-14T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47411"
},
{
"type": "PACKAGE",
"url": "https://github.com/bihor/fp_newsletter"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2022-017"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": " \"Newsletter subscriber management\" (fp_newsletter) TYPO3 extension leaks subscriber data"
}
GHSA-R4XQ-54V8-4C6Q
Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-23 00:00Fast Food Ordering System v1.0 is vulnerable to Delete any file. via /ffos/classes/Master.php?f=delete_img.
{
"affected": [],
"aliases": [
"CVE-2022-32328"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-14T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Fast Food Ordering System v1.0 is vulnerable to Delete any file. via /ffos/classes/Master.php?f=delete_img.",
"id": "GHSA-r4xq-54v8-4c6q",
"modified": "2022-06-23T00:00:22Z",
"published": "2022-06-15T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32328"
},
{
"type": "WEB",
"url": "https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/fast-food-ordering-system/delet-file-1.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R527-QPPG-G2JQ
Vulnerability from github – Published: 2022-04-17 00:00 – Updated: 2022-04-27 00:00Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
{
"affected": [],
"aliases": [
"CVE-2022-26653"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-16T16:15:00Z",
"severity": "MODERATE"
},
"details": "Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).",
"id": "GHSA-r527-qppg-g2jq",
"modified": "2022-04-27T00:00:29Z",
"published": "2022-04-17T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26653"
},
{
"type": "WEB",
"url": "https://raxis.com/blog/cve-2022-26653-and-cve-2022-26777"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/remote-desktop-management/advisory/cve-2022-26653.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R5C3-3MF2-X8C7
Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2024-03-27 15:30libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without Public Suffix Listawareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
{
"affected": [],
"aliases": [
"CVE-2022-27779"
],
"database_specific": {
"cwe_ids": [
"CWE-201",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T14:15:00Z",
"severity": "MODERATE"
},
"details": "libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl\u0027s \"cookie engine\" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.",
"id": "GHSA-r5c3-3mf2-x8c7",
"modified": "2024-03-27T15:30:35Z",
"published": "2022-06-03T00:01:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27779"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1553301"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202212-01"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220609-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R62C-GW4M-R5QJ
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20Insecure direct object reference (IDOR) vulnerability in ICREM H8 SSRMS allows attackers to disclose sensitive information via the Print Invoice Functionality.
{
"affected": [],
"aliases": [
"CVE-2021-3380"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-10T17:15:00Z",
"severity": "MODERATE"
},
"details": "Insecure direct object reference (IDOR) vulnerability in ICREM H8 SSRMS allows attackers to disclose sensitive information via the Print Invoice Functionality.",
"id": "GHSA-r62c-gw4m-r5qj",
"modified": "2022-05-24T19:20:16Z",
"published": "2022-05-24T19:20:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3380"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49508"
},
{
"type": "WEB",
"url": "http://height8.com"
},
{
"type": "WEB",
"url": "http://icrem.com"
},
{
"type": "WEB",
"url": "http://www.height8tech.com/carrier-grade-OSS-BSS.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R67Q-RJQ6-8HP6
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-07-13 00:01In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
{
"affected": [],
"aliases": [
"CVE-2021-38587"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-11T23:15:00Z",
"severity": "HIGH"
},
"details": "In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).",
"id": "GHSA-r67q-rjq6-8hp6",
"modified": "2022-07-13T00:01:35Z",
"published": "2022-05-24T19:11:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38587"
},
{
"type": "WEB",
"url": "https://docs.cpanel.net/changelogs/96-change-log"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7VR-M4JW-R794
Vulnerability from github – Published: 2026-04-09 12:31 – Updated: 2026-06-05 14:27Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only.
Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results.
Users are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34538"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T19:31:47Z",
"nvd_published_at": "2026-04-09T10:16:22Z",
"severity": "MODERATE"
},
"details": "Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only.\n\nAirflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results.\n\nUsers are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue.",
"id": "GHSA-r7vr-m4jw-r794",
"modified": "2026-06-05T14:27:15Z",
"published": "2026-04-09T12:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34538"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/64415"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/releases/tag/3.2.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-21.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/09/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow has an authorization bypass in DagRun wait endpoint"
}
GHSA-R858-V5C8-GXQ7
Vulnerability from github – Published: 2023-11-13 21:30 – Updated: 2023-11-13 21:30Use of implicit intent for sensitive communication vulnerability in startNameValidationActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.
{
"affected": [],
"aliases": [
"CVE-2023-42549"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T08:15:22Z",
"severity": "MODERATE"
},
"details": "Use of implicit intent for sensitive communication vulnerability in startNameValidationActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.",
"id": "GHSA-r858-v5c8-gxq7",
"modified": "2023-11-13T21:30:57Z",
"published": "2023-11-13T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42549"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8RW-G922-J95J
Vulnerability from github – Published: 2022-01-19 00:01 – Updated: 2023-08-08 15:31In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.
{
"affected": [],
"aliases": [
"CVE-2021-39892"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-18T17:15:00Z",
"severity": "MODERATE"
},
"details": "In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don\u0027t have a maintainer role on and disclose email addresses of those users.",
"id": "GHSA-r8rw-g922-j95j",
"modified": "2023-08-08T15:31:37Z",
"published": "2022-01-19T00:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39892"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/542539"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39892.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/28440"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8VP-6R8V-9X9X
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-19 00:01Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deployments that have been configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP). This issue only occurs if PowerShell was used when configuring FAS to store the registration authority certificate’s private key in the TPM. It does not occur if the TPM was not selected for use or if the FAS administration console was used for configuration.
{
"affected": [],
"aliases": [
"CVE-2022-26355"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:47:00Z",
"severity": "MODERATE"
},
"details": "Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deployments that have been configured to store a registration authority certificate\u0027s private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP). This issue only occurs if PowerShell was used when configuring FAS to store the registration authority certificate\u2019s private key in the TPM. It does not occur if the TPM was not selected for use or if the FAS administration console was used for configuration.",
"id": "GHSA-r8vp-6r8v-9x9x",
"modified": "2022-03-19T00:01:29Z",
"published": "2022-03-11T00:02:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26355"
},
{
"type": "WEB",
"url": "https://support.citrix.com/article/CTX341587"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.