CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1248 vulnerabilities reference this CWE, most recent first.
GHSA-WXM4-276X-4V9J
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-07-13 00:01Improper validation of kernel buffer address while copying information back to user buffer can lead to kernel memory information exposure to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
{
"affected": [],
"aliases": [
"CVE-2021-1968"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-20T07:15:00Z",
"severity": "MODERATE"
},
"details": "Improper validation of kernel buffer address while copying information back to user buffer can lead to kernel memory information exposure to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables",
"id": "GHSA-wxm4-276x-4v9j",
"modified": "2022-07-13T00:01:03Z",
"published": "2022-05-24T19:18:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1968"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/october-2021-bulletin"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/172856/Qualcomm-NPU-Use-After-Free-Information-Leak.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXP7-94M7-556Q
Vulnerability from github – Published: 2023-07-14 00:30 – Updated: 2024-04-04 06:07An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory
{
"affected": [],
"aliases": [
"CVE-2023-37599"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T22:15:09Z",
"severity": "HIGH"
},
"details": "An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory",
"id": "GHSA-wxp7-94m7-556q",
"modified": "2024-04-04T06:07:44Z",
"published": "2023-07-14T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37599"
},
{
"type": "WEB",
"url": "https://github.com/sahiloj/CVE-2023-37599"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2V4-6R37-4QQ5
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-07-13 00:00Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.
{
"affected": [],
"aliases": [
"CVE-2020-28012"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-06T13:15:00Z",
"severity": "HIGH"
},
"details": "Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.",
"id": "GHSA-x2v4-6r37-4qq5",
"modified": "2022-07-13T00:00:50Z",
"published": "2022-05-24T19:01:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28012"
},
{
"type": "WEB",
"url": "https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28012-CLOSE.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X369-MCW8-8RVJ
Vulnerability from github – Published: 2026-03-04 18:18 – Updated: 2026-03-05 15:26Description
Dark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example http://localhost:8080/style.css, If an address was available and returned a text/css content type.
Patches
The problem was fixed in version 4.9.117, released on December 3, 2025. Most users received the update automatically. Users running manual builds must upgrade to version 4.9.117 or later.
The installed extension version number can be verified in Dark Reader's menu (More > All settings > About), browser settings, chrome://extensions or about:addons pages.
Users are encouraged not to disable automatic extension updates and use the latest browser version, as browser releases typically include multiple security fixes of varying severity.
NPM package
The issue does not affect developers using the darkreader NPM package for website integration. Developers using the setFetchMethod() API must ensure the cross-origin requests are restricted to the intended scope.
Custom forks
Developers using custom forks of earlier versions of Dark Reader to build other extensions, or integrating it into their apps or browsers, should review their implementation to ensure cross-origin requests are handled securely.
Acknowledgements
Security research performed by Brian Carpenter - Deep Fork Cyber.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "darkreader"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.9.117"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68467"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-346",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T18:18:23Z",
"nvd_published_at": "2026-03-04T22:16:11Z",
"severity": "LOW"
},
"details": "### Description\nDark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example `http://localhost:8080/style.css`, If an address was available and returned a `text/css` content type.\n\n### Patches\nThe problem was fixed in version 4.9.117, released on December 3, 2025. Most users received the update automatically. Users running manual builds must upgrade to version 4.9.117 or later.\n\nThe installed extension version number can be verified in Dark Reader\u0027s menu (More \u003e All settings \u003e About), browser settings, `chrome://extensions` or `about:addons` pages.\n\nUsers are encouraged not to disable automatic extension updates and use the latest browser version, as browser releases typically include multiple security fixes of varying severity.\n\n### NPM package\n\nThe issue does not affect developers using the `darkreader` NPM package for website integration. Developers using the `setFetchMethod()` API must ensure the cross-origin requests are restricted to the intended scope.\n\n### Custom forks\n\nDevelopers using custom forks of earlier versions of Dark Reader to build other extensions, or integrating it into their apps or browsers, should review their implementation to ensure cross-origin requests are handled securely.\n\n### Acknowledgements\nSecurity research performed by [Brian Carpenter](https://x.com/geeknik) - [Deep Fork Cyber](https://deepforkcyber.com/).",
"id": "GHSA-x369-mcw8-8rvj",
"modified": "2026-03-05T15:26:18Z",
"published": "2026-03-04T18:18:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/darkreader/darkreader/security/advisories/GHSA-x369-mcw8-8rvj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68467"
},
{
"type": "PACKAGE",
"url": "https://github.com/darkreader/darkreader"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Dark Reader gives users the ability to request style sheets from local web servers"
}
GHSA-X386-HM2P-7Q2H
Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-12 00:00Exposure of Sensitive Information vulnerability in Samsung Account prior to version 13.2.00.6 allows attacker to access sensitive information via onActivityResult.
{
"affected": [],
"aliases": [
"CVE-2022-30732"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-07T19:15:00Z",
"severity": "HIGH"
},
"details": "Exposure of Sensitive Information vulnerability in Samsung Account prior to version 13.2.00.6 allows attacker to access sensitive information via onActivityResult.",
"id": "GHSA-x386-hm2p-7q2h",
"modified": "2022-06-12T00:00:46Z",
"published": "2022-06-08T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30732"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X3MM-8FP8-Q5GJ
Vulnerability from github – Published: 2022-05-11 00:01 – Updated: 2025-01-02 21:31Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-26934, CVE-2022-29112.
{
"affected": [],
"aliases": [
"CVE-2022-22011"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-26934, CVE-2022-29112.",
"id": "GHSA-x3mm-8fp8-q5gj",
"modified": "2025-01-02T21:31:32Z",
"published": "2022-05-11T00:01:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22011"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22011"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X3P3-X38C-J2C6
Vulnerability from github – Published: 2022-11-25 18:30 – Updated: 2022-11-29 21:30PHPGurukul Blood Donor Management System 1.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, delete the users, add and manage Blood Group, and Submit Report.
{
"affected": [],
"aliases": [
"CVE-2022-38813"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-25T17:15:00Z",
"severity": "HIGH"
},
"details": "PHPGurukul Blood Donor Management System 1.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, delete the users, add and manage Blood Group, and Submit Report.",
"id": "GHSA-x3p3-x38c-j2c6",
"modified": "2022-11-29T21:30:26Z",
"published": "2022-11-25T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38813"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1iMswKzoUvindXUGh1cuAmi-0R84tLDaH/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://github.com/RashidKhanPathan/CVE-2022-38813"
},
{
"type": "WEB",
"url": "https://ihexcoder.wixsite.com/secresearch/post/cve-2022-38813-privilege-escalations-in-blood-donor-management-system-v1-0"
},
{
"type": "WEB",
"url": "https://phpgurukul.com/blood-donor-management-system-using-codeigniter"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X3V8-G92V-WP97
Vulnerability from github – Published: 2021-12-16 00:02 – Updated: 2023-08-08 15:31Visual Basic for Applications Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-42295"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "MODERATE"
},
"details": "Visual Basic for Applications Information Disclosure Vulnerability",
"id": "GHSA-x3v8-g92v-wp97",
"modified": "2023-08-08T15:31:24Z",
"published": "2021-12-16T00:02:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42295"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42295"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X444-P8VV-928W
Vulnerability from github – Published: 2023-02-27 15:30 – Updated: 2023-03-09 15:30Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.
{
"affected": [],
"aliases": [
"CVE-2023-27265"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-27T15:15:00Z",
"severity": "LOW"
},
"details": "Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the \"Regenerate Invite Id\" API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.",
"id": "GHSA-x444-p8vv-928w",
"modified": "2023-03-09T15:30:50Z",
"published": "2023-02-27T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27265"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X446-3XHQ-5XFP
Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2022-04-26 13:03SWHKD 1.1.5 allows arbitrary file-existence tests via the -c option.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "Simple-Wayland-HotKey-Daemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-27814"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-26T13:03:51Z",
"nvd_published_at": "2022-04-14T17:15:00Z",
"severity": "LOW"
},
"details": "SWHKD 1.1.5 allows arbitrary file-existence tests via the -c option.",
"id": "GHSA-x446-3xhq-5xfp",
"modified": "2022-04-26T13:03:51Z",
"published": "2022-04-15T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27814"
},
{
"type": "PACKAGE",
"url": "https://github.com/waycrate/swhkd"
},
{
"type": "WEB",
"url": "https://github.com/waycrate/swhkd/releases"
},
{
"type": "WEB",
"url": "https://github.com/waycrate/swhkd/releases/tag/1.2.0"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2022/04/14/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Resource to Wrong Sphere in Simple-Wayland-HotKey-Daemon"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.