CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-MRMF-7953-R786
Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-24 00:00A vulnerability in live_check.shtml of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to obtain sensitive router information via execution of the exec cmd function.
{
"affected": [],
"aliases": [
"CVE-2022-31845"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-14T14:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in live_check.shtml of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to obtain sensitive router information via execution of the exec cmd function.",
"id": "GHSA-mrmf-7953-r786",
"modified": "2022-06-24T00:00:32Z",
"published": "2022-06-15T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31845"
},
{
"type": "WEB",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30489"
},
{
"type": "WEB",
"url": "https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3__check_live.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MV8V-WVHP-6WJW
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-07-13 00:00In startIpClient of ClientModeImpl.java, there is a possible identifier which could be used to track a device. This could lead to remote information disclosure to a proximal attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-154114734
{
"affected": [],
"aliases": [
"CVE-2021-0466"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T17:15:00Z",
"severity": "HIGH"
},
"details": "In startIpClient of ClientModeImpl.java, there is a possible identifier which could be used to track a device. This could lead to remote information disclosure to a proximal attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-154114734",
"id": "GHSA-mv8v-wvhp-6wjw",
"modified": "2022-07-13T00:00:59Z",
"published": "2022-05-24T19:05:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0466"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-05-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MVHG-CG8P-75PQ
Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2023-08-08 15:31Product: AndroidVersions: Android kernelAndroid ID: A-201537251References: N/A
{
"affected": [],
"aliases": [
"CVE-2021-39646"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "HIGH"
},
"details": "Product: AndroidVersions: Android kernelAndroid ID: A-201537251References: N/A",
"id": "GHSA-mvhg-cg8p-75pq",
"modified": "2023-08-08T15:31:25Z",
"published": "2021-12-16T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39646"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MVVM-XJVF-379M
Vulnerability from github – Published: 2022-03-25 00:00 – Updated: 2022-03-30 00:00OpenEMR v6.0.0 was discovered to contain an incorrect access control issue.
{
"affected": [],
"aliases": [
"CVE-2022-25041"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-23T22:15:00Z",
"severity": "MODERATE"
},
"details": "OpenEMR v6.0.0 was discovered to contain an incorrect access control issue.",
"id": "GHSA-mvvm-xjvf-379m",
"modified": "2022-03-30T00:00:50Z",
"published": "2022-03-25T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25041"
},
{
"type": "WEB",
"url": "https://github.com/openemr"
},
{
"type": "WEB",
"url": "https://securityforeveryone.com/blog/openemr-0-day-incorrect-access-control-vulnerability-cve-2022-25041"
},
{
"type": "WEB",
"url": "https://www.open-emr.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MVX3-H3XQ-HVWM
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged applications to access contact information.
{
"affected": [],
"aliases": [
"CVE-2021-25357"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-09T18:15:00Z",
"severity": "MODERATE"
},
"details": "A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged applications to access contact information.",
"id": "GHSA-mvx3-h3xq-hvwm",
"modified": "2022-05-24T17:46:59Z",
"published": "2022-05-24T17:46:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25357"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MW57-GV8V-CJ4R
Vulnerability from github – Published: 2024-01-09 18:30 – Updated: 2024-01-09 18:30Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-20692"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-09T18:15:52Z",
"severity": "MODERATE"
},
"details": "Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability",
"id": "GHSA-mw57-gv8v-cj4r",
"modified": "2024-01-09T18:30:29Z",
"published": "2024-01-09T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20692"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20692"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MW9G-699G-M8GM
Vulnerability from github – Published: 2021-12-07 00:00 – Updated: 2022-05-14 00:03An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Samba file sharing service allowed anonymous read/write access.
{
"affected": [],
"aliases": [
"CVE-2021-43039"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-06T04:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Samba file sharing service allowed anonymous read/write access.",
"id": "GHSA-mw9g-699g-m8gm",
"modified": "2022-05-14T00:03:45Z",
"published": "2021-12-07T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43039"
},
{
"type": "WEB",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961"
},
{
"type": "WEB",
"url": "https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1"
},
{
"type": "WEB",
"url": "https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MWJC-697V-R7M7
Vulnerability from github – Published: 2023-09-14 12:30 – Updated: 2024-04-04 07:40A vulnerability has been identified in SIMATIC PCS neo (Administration Console) V4.0 (All versions), SIMATIC PCS neo (Administration Console) V4.0 Update 1 (All versions). The affected application leaks Windows admin credentials. An attacker with local access to the Administration Console could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems.
{
"affected": [],
"aliases": [
"CVE-2023-38558"
],
"database_specific": {
"cwe_ids": [
"CWE-538",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-14T11:15:07Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SIMATIC PCS neo (Administration Console) V4.0 (All versions), SIMATIC PCS neo (Administration Console) V4.0 Update 1 (All versions). The affected application leaks Windows admin credentials. An attacker with local access to the Administration Console could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems.",
"id": "GHSA-mwjc-697v-r7m7",
"modified": "2024-04-04T07:40:13Z",
"published": "2023-09-14T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38558"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-646240.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MWPQ-GG3Q-W4QR
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-07-13 00:01An issue existed in determining cache occupancy. The issue was addressed through improved logic. This issue is fixed in macOS Big Sur 11.3. A malicious website may be able to track users by setting state in a cache.
{
"affected": [],
"aliases": [
"CVE-2021-1861"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T15:15:00Z",
"severity": "MODERATE"
},
"details": "An issue existed in determining cache occupancy. The issue was addressed through improved logic. This issue is fixed in macOS Big Sur 11.3. A malicious website may be able to track users by setting state in a cache.",
"id": "GHSA-mwpq-gg3q-w4qr",
"modified": "2022-07-13T00:01:01Z",
"published": "2022-05-24T19:13:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1861"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212325"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MWVX-WP54-2XV5
Vulnerability from github – Published: 2023-06-30 06:30 – Updated: 2024-04-04 05:18Exposure of resource to wrong sphere issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow a network-adjacent attacker to use functions originally available after login without logging in.
{
"affected": [],
"aliases": [
"CVE-2023-32613"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-30T05:15:09Z",
"severity": "HIGH"
},
"details": "Exposure of resource to wrong sphere issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow a network-adjacent attacker to use functions originally available after login without logging in.",
"id": "GHSA-mwvx-wp54-2xv5",
"modified": "2024-04-04T05:18:41Z",
"published": "2023-06-30T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32613"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN78634340"
},
{
"type": "WEB",
"url": "https://www.wavlink.com/en_us/firmware/details/932108ffc5.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.