Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1248 vulnerabilities reference this CWE, most recent first.

GHSA-59VG-279R-WF25

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-13 00:01
VLAI
Details

Datalust Seq before 2021.2.6259 allows users (with view filters applied to their accounts) to see query results not constrained by their view filter. This information exposure, caused by an internal cache key collision, occurs when the user's view filter includes an array or IN clause, and when another user has recently executed an identical query differing only by the array elements.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-27T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Datalust Seq before 2021.2.6259 allows users (with view filters applied to their accounts) to see query results not constrained by their view filter. This information exposure, caused by an internal cache key collision, occurs when the user\u0027s view filter includes an array or IN clause, and when another user has recently executed an identical query differing only by the array elements.",
  "id": "GHSA-59vg-279r-wf25",
  "modified": "2022-07-13T00:01:41Z",
  "published": "2022-05-24T19:15:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41329"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datalust/seq-tickets/issues/1322"
    },
    {
      "type": "WEB",
      "url": "https://blog.datalust.co"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59XF-CX6R-29GQ

Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-17 00:00
VLAI
Details

Improper access control vulnerability in updateLastConnectedClientInfo function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T14:15:00Z",
    "severity": "LOW"
  },
  "details": "Improper access control vulnerability in updateLastConnectedClientInfo function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected.",
  "id": "GHSA-59xf-cx6r-29gq",
  "modified": "2022-07-17T00:00:45Z",
  "published": "2022-07-13T00:01:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30750"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FRP-V5H8-3HGC

Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2022-08-04 00:00
VLAI
Details

Inappropriate implementation in PDF in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-27T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in PDF in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
  "id": "GHSA-5frp-v5h8-3hgc",
  "modified": "2022-08-04T00:00:23Z",
  "published": "2022-07-28T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1875"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_24.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1306443"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FW4-HG92-MGM7

Vulnerability from github – Published: 2022-10-28 19:00 – Updated: 2022-10-28 19:00
VLAI
Details

An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-28T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs.",
  "id": "GHSA-5fw4-hg92-mgm7",
  "modified": "2022-10-28T19:00:30Z",
  "published": "2022-10-28T19:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3018"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3018.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/360938"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5G5R-X2QH-4WM6

Vulnerability from github – Published: 2023-12-04 03:30 – Updated: 2023-12-07 18:30
VLAI
Details

In dialer, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T01:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In dialer, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed",
  "id": "GHSA-5g5r-x2qh-4wm6",
  "modified": "2023-12-07T18:30:27Z",
  "published": "2023-12-04T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42718"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1731138365803266049"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GXV-94VG-H86P

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-13 00:01
VLAI
Details

LINE client for iOS before 11.15.0 might expose authentication information for a certain service to external entities under certain conditions. This is usually impossible, but in combination with a server-side bug, attackers could get this information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-22T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "LINE client for iOS before 11.15.0 might expose authentication information for a certain service to external entities under certain conditions. This is usually impossible, but in combination with a server-side bug, attackers could get this information.",
  "id": "GHSA-5gxv-94vg-h86p",
  "modified": "2022-07-13T00:01:41Z",
  "published": "2022-05-24T19:15:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41011"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1279524"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5H4V-FJX7-95CQ

Vulnerability from github – Published: 2023-06-02 06:30 – Updated: 2024-11-01 00:31
VLAI
Details

Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2062"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-549",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-02T05:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.",
  "id": "GHSA-5h4v-fjx7-95cq",
  "modified": "2024-11-01T00:31:59Z",
  "published": "2023-06-02T06:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2062"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU92908006"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-02"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2023-004.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5HJ6-WM8R-GQJ8

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32
VLAI
Details

Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-28T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins.",
  "id": "GHSA-5hj6-wm8r-gqj8",
  "modified": "2022-05-24T17:32:31Z",
  "published": "2022-05-24T17:32:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16263"
    },
    {
      "type": "WEB",
      "url": "https://labs.bishopfox.com/advisories/winston-privacy-version-1.5.4"
    },
    {
      "type": "WEB",
      "url": "https://winstonprivacy.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5HR6-R8H6-WH22

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2024-04-23 17:09
VLAI
Summary
JetPack Exposure of Resource to Wrong Sphere
Details

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "automattic/jetpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-24374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T17:09:16Z",
    "nvd_published_at": "2021-06-21T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a \"carousel\" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.",
  "id": "GHSA-5hr6-r8h6-wh22",
  "modified": "2024-04-23T17:09:16Z",
  "published": "2022-05-24T19:05:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24374"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Automattic/jetpack-production"
    },
    {
      "type": "WEB",
      "url": "https://jetpack.com/2021/06/01/jetpack-9-8-engage-your-audience-with-wordpress-stories"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/08a8a51c-49d3-4bce-b7e0-e365af1d8f33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "JetPack Exposure of Resource to Wrong Sphere"
}

GHSA-5J3Q-VMJ5-H7FX

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-07-13 00:01
VLAI
Details

When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode. This vulnerability affects Firefox for iOS < 34.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-24T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode. This vulnerability affects Firefox for iOS \u003c 34.",
  "id": "GHSA-5j3q-vmj5-h7fx",
  "modified": "2022-07-13T00:01:18Z",
  "published": "2022-05-24T19:06:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29958"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1670127"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2021-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.