Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1252 vulnerabilities reference this CWE, most recent first.

GHSA-G863-M67X-WHH5

Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-18 15:30
VLAI
Details

Vulnerability in Wikimedia Foundation MediaWiki.

This vulnerability is associated with program files includes/Page/Article.Php.

This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-34094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-11T18:16:32Z",
    "severity": "LOW"
  },
  "details": "Vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Page/Article.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.",
  "id": "GHSA-g863-m67x-whh5",
  "modified": "2026-05-18T15:30:33Z",
  "published": "2026-05-11T18:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34094"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T416090"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G8P2-7WF7-98MQ

Vulnerability from github – Published: 2026-02-02 23:41 – Updated: 2026-02-02 23:41
VLAI
Summary
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
Details

Summary

The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload.

Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim's local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE. This vulnerability is exploitable even on instances configured to listen on loopback only, since the victim's browser initiates the outbound connection.

Details

The root cause is the lack of validation for gatewayUrl combined with auto‑connect behavior on page load. With the change users now need to confirm the new gateway URL in the UI.

Impact

This is a token exfiltration vulnerability that leads to full gateway compromise. It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host. The attack works even when the gateway binds to loopback because the victim's browser acts as the bridge.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.1.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "clawdbot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.1.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T23:41:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe Control UI trusts `gatewayUrl` from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload.\n\nClicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim\u0027s local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE. This vulnerability is exploitable even on instances configured to listen on loopback only, since the victim\u0027s browser initiates the outbound connection.\n\n## Details\n\nThe root cause is the lack of validation for `gatewayUrl` combined with auto\u2011connect behavior on page load. With the change users now need to confirm the new gateway URL in the UI.\n\n## Impact\n\nThis is a token exfiltration vulnerability that leads to full gateway compromise. It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host. The attack works even when the gateway binds to loopback because the victim\u0027s browser acts as the bridge.",
  "id": "GHSA-g8p2-7wf7-98mq",
  "modified": "2026-02-02T23:41:05Z",
  "published": "2026-02-02T23:41:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253"
    },
    {
      "type": "WEB",
      "url": "https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://openclaw.ai/blog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl"
}

GHSA-G8P8-2V2X-8MHV

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01
VLAI
Details

Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-04T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.",
  "id": "GHSA-g8p8-2v2x-8mhv",
  "modified": "2022-07-13T00:01:38Z",
  "published": "2022-05-24T19:16:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39900"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39900.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/325088"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G94P-M365-483P

Vulnerability from github – Published: 2022-04-04 00:00 – Updated: 2022-04-13 00:00
VLAI
Details

Verizon LVSKIHP 5G outside devices through 2022-02-15 allow anyone (knowing the device's serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. The password (for the verizon username) is calculated by concatenating the serial number and the model (i.e., the LVSKIHP string), running the sha256sum program, and extracting the first seven characters concatenated with the last seven characters of that SHA-256 value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-03T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "Verizon LVSKIHP 5G outside devices through 2022-02-15 allow anyone (knowing the device\u0027s serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. The password (for the verizon username) is calculated by concatenating the serial number and the model (i.e., the LVSKIHP string), running the sha256sum program, and extracting the first seven characters concatenated with the last seven characters of that SHA-256 value.",
  "id": "GHSA-g94p-m365-483p",
  "modified": "2022-04-13T00:00:50Z",
  "published": "2022-04-04T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28376"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md"
    },
    {
      "type": "WEB",
      "url": "https://www.reddit.com/r/verizon/comments/sstq4c/5g_home_internet_dropping_out/hx3ir0s"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G97H-G5HQ-W73P

Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

Address information disclosure vulnerability in Cybozu Garoon 4.2.0 to 5.5.1 allows a remote authenticated attacker to obtain some data of Address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-04T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Address information disclosure vulnerability in Cybozu Garoon 4.2.0 to 5.5.1 allows a remote authenticated attacker to obtain some data of Address.",
  "id": "GHSA-g97h-g5hq-w73p",
  "modified": "2022-07-13T00:01:53Z",
  "published": "2022-07-05T00:00:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29467"
    },
    {
      "type": "WEB",
      "url": "https://cs.cybozu.co.jp/2022/007429.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN73897863/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G9GJ-X94C-4PVG

Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03
VLAI
Details

DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-13T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php.",
  "id": "GHSA-g9gj-x94c-4pvg",
  "modified": "2022-05-13T01:03:34Z",
  "published": "2022-05-13T01:03:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6910"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md"
    },
    {
      "type": "WEB",
      "url": "https://kongxin.gitbook.io/dedecms-5-7-bug"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G9M8-5243-X34C

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-07-13 00:01
VLAI
Details

SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-14T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.",
  "id": "GHSA-g9m8-5243-x34c",
  "modified": "2022-07-13T00:01:25Z",
  "published": "2022-05-24T19:08:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33677"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3044754"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G9RQ-P8H7-MCJ8

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48
VLAI
Details

An authentication bypass vulnerability in the Juniper Networks Paragon Active Assurance Control Center may allow an attacker with specific information about the deployment to mimic an already registered Test Agent and access its configuration including associated inventory details. If the issue occurs, the affected Test Agent will not be able to connect to the Control Center. This issue affects Juniper Networks Paragon Active Assurance Control Center All versions prior to 2.35.6; 2.36 versions prior to 2.36.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An authentication bypass vulnerability in the Juniper Networks Paragon Active Assurance Control Center may allow an attacker with specific information about the deployment to mimic an already registered Test Agent and access its configuration including associated inventory details. If the issue occurs, the affected Test Agent will not be able to connect to the Control Center. This issue affects Juniper Networks Paragon Active Assurance Control Center All versions prior to 2.35.6; 2.36 versions prior to 2.36.2.",
  "id": "GHSA-g9rq-p8h7-mcj8",
  "modified": "2022-05-24T17:48:11Z",
  "published": "2022-05-24T17:48:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0232"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11127"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNPCV3KRDI5PLLLKADFVIOHACQJLZMLI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GC37-9G7F-96FX

Vulnerability from github – Published: 2021-11-23 18:17 – Updated: 2022-08-11 18:41
VLAI
Summary
Apache Ozone exposes OM, SCM and Datanode metadata
Details

In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.ozone:ozone-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-22T18:38:16Z",
    "nvd_published_at": "2021-11-19T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.",
  "id": "GHSA-gc37-9g7f-96fx",
  "modified": "2022-08-11T18:41:20Z",
  "published": "2021-11-23T18:17:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41532"
    },
    {
      "type": "WEB",
      "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3Ce0bc6598-9669-b897-fc28-de8a896e36aa%40apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/11/19/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Ozone exposes OM, SCM and Datanode metadata"
}

GHSA-GC43-CVGG-XJPV

Vulnerability from github – Published: 2024-05-16 21:32 – Updated: 2024-05-16 21:32
VLAI
Details

Exposure of resource to wrong sphere in some Intel(R) DTT software installers may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T21:16:03Z",
    "severity": "HIGH"
  },
  "details": "Exposure of resource to wrong sphere in some Intel(R) DTT software installers may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-gc43-cvgg-xjpv",
  "modified": "2024-05-16T21:32:01Z",
  "published": "2024-05-16T21:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21813"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00984.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.