Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-FPV7-MHHR-H93X

Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2023-06-29 06:30
VLAI
Details

Microsoft Office Information Disclosure Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-09T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Office Information Disclosure Vulnerability.",
  "id": "GHSA-fpv7-mhhr-h93x",
  "modified": "2023-06-29T06:30:17Z",
  "published": "2022-02-10T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23252"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23252"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23252"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ5M-CP8F-255J

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

A vulnerability in the REST API of Cisco Edge Fog Fabric could allow an authenticated, remote attacker to access files outside of their authorization sphere on an affected device. The vulnerability is due to incorrect authorization enforcement on an affected system. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-06T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the REST API of Cisco Edge Fog Fabric could allow an authenticated, remote attacker to access files outside of their authorization sphere on an affected device. The vulnerability is due to incorrect authorization enforcement on an affected system. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device.",
  "id": "GHSA-fq5m-cp8f-255j",
  "modified": "2022-05-24T17:33:18Z",
  "published": "2022-05-24T17:33:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26084"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-eff-incperm-9E6h4yBz"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FQ7V-XJ92-R9MR

Vulnerability from github – Published: 2022-03-02 00:00 – Updated: 2025-05-30 18:30
VLAI
Details

An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-01T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.",
  "id": "GHSA-fq7v-xj92-r9mr",
  "modified": "2025-05-30T18:30:42Z",
  "published": "2022-03-02T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24446"
    },
    {
      "type": "WEB",
      "url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2022-24446"
    },
    {
      "type": "WEB",
      "url": "https://excellium-services.com/cert-xlm-advisory"
    },
    {
      "type": "WEB",
      "url": "https://excellium-services.com/cert-xlm-advisory/cve-2022-24446"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/key-manager"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/key-manager/release-notes.html#6200"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ83-F496-R75H

Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

Improper authentication vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote attacker to obtain some data of Facility Information without logging in to the product.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-04T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper authentication vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote attacker to obtain some data of Facility Information without logging in to the product.",
  "id": "GHSA-fq83-f496-r75h",
  "modified": "2022-07-13T00:01:53Z",
  "published": "2022-07-05T00:00:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28713"
    },
    {
      "type": "WEB",
      "url": "https://cs.cybozu.co.jp/2022/007429.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN73897863/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ84-CHPX-FM5F

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-07-13 00:01
VLAI
Details

Viewing restrictions bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Portal without the viewing privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20755"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-18T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Viewing restrictions bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to obtain the data of Portal without the viewing privilege.",
  "id": "GHSA-fq84-chpx-fm5f",
  "modified": "2022-07-13T00:01:06Z",
  "published": "2022-05-24T19:11:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20755"
    },
    {
      "type": "WEB",
      "url": "https://cs.cybozu.co.jp/2021/007206.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN54794245/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQCP-358Q-WG2P

Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50
VLAI
Details

An issue was discovered in Ivanti Workspace Control before 10.3.10.0 and RES One Workspace. A local authenticated user can bypass Application Whitelisting restrictions to execute arbitrary code by leveraging multiple unspecified attack vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15591"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-15T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Ivanti Workspace Control before 10.3.10.0 and RES One Workspace. A local authenticated user can bypass Application Whitelisting restrictions to execute arbitrary code by leveraging multiple unspecified attack vectors.",
  "id": "GHSA-fqcp-358q-wg2p",
  "modified": "2022-05-13T01:50:10Z",
  "published": "2022-05-13T01:50:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15591"
    },
    {
      "type": "WEB",
      "url": "https://community.ivanti.com/docs/DOC-69684"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2018/Oct/8"
    },
    {
      "type": "WEB",
      "url": "https://www.securify.nl/en/advisory/SFY20180806/ivanti-workspace-control-application-whitelist-bypass-via-powergrid-_see-command-line-argument.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/149614/Ivanti-Workspace-Control-Application-PowerGrid-SEE-Whitelist-Bypass.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/Oct/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQHM-44XP-628C

Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-29 00:01
VLAI
Details

A permissions issue was addressed with improved validation. This issue is fixed in Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. An application may be able to access restricted files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22583"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-18T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A permissions issue was addressed with improved validation. This issue is fixed in Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. An application may be able to access restricted files.",
  "id": "GHSA-fqhm-44xp-628c",
  "modified": "2022-03-29T00:01:35Z",
  "published": "2022-03-19T00:00:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22583"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213054"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213055"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FR28-P2JH-93MM

Vulnerability from github – Published: 2023-04-15 21:30 – Updated: 2024-04-04 03:29
VLAI
Details

An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn't because they are hidden.) This is related to ApiVisualEditor.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30153"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-15T20:16:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the VisualEditor extension in MediaWiki before 1.31.13, and 1.32.x through 1.35.x before 1.35.2. . When using VisualEditor to edit a MediaWiki user page belonging to an existing, but hidden, user, VisualEditor will disclose that the user exists. (It shouldn\u0027t because they are hidden.) This is related to ApiVisualEditor.",
  "id": "GHSA-fr28-p2jh-93mm",
  "modified": "2024-04-04T03:29:16Z",
  "published": "2023-04-15T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30153"
    },
    {
      "type": "WEB",
      "url": "https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY"
    },
    {
      "type": "WEB",
      "url": "https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/message/XYBF5RSTJRMVCP7QBYK7643W75A3KCIY"
    },
    {
      "type": "WEB",
      "url": "https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T270453"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FRCG-47MH-PJ2G

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2024-03-27 18:32
VLAI
Details

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-11T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single \"static\" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.",
  "id": "GHSA-frcg-47mh-pj2g",
  "modified": "2024-03-27T18:32:37Z",
  "published": "2022-05-24T19:05:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1172857"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2021-22897.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210727-0007"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FRPC-MXVH-F9W7

Vulnerability from github – Published: 2023-06-14 00:30 – Updated: 2024-04-04 04:48
VLAI
Details

DHCP Server Service Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-14T00:15:09Z",
    "severity": "MODERATE"
  },
  "details": "DHCP Server Service Information Disclosure Vulnerability",
  "id": "GHSA-frpc-mxvh-f9w7",
  "modified": "2024-04-04T04:48:23Z",
  "published": "2023-06-14T00:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29355"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29355"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.