CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-PVC4-X6FM-W5WG
Vulnerability from github – Published: 2022-08-06 00:00 – Updated: 2022-08-11 00:00PendingIntent hijacking vulnerability in cancelAlarmManager in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.
{
"affected": [],
"aliases": [
"CVE-2022-36830"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-927"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-05T16:15:00Z",
"severity": "MODERATE"
},
"details": "PendingIntent hijacking vulnerability in cancelAlarmManager in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.",
"id": "GHSA-pvc4-x6fm-w5wg",
"modified": "2022-08-11T00:00:34Z",
"published": "2022-08-06T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36830"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=08"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year==2022\u0026month=08"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PVF9-JP7G-W7J3
Vulnerability from github – Published: 2023-03-01 09:30 – Updated: 2023-03-10 21:30A vulnerability exists which allows an authenticated attacker to access sensitive information on the ArubaOS command line interface. Successful exploitation could allow access to data beyond what is authorized by the users existing privilege level.
{
"affected": [],
"aliases": [
"CVE-2023-22775"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-01T08:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists which allows an authenticated attacker to access sensitive information on the ArubaOS command line interface. Successful exploitation could allow access to data beyond what is authorized by the users existing privilege level.",
"id": "GHSA-pvf9-jp7g-w7j3",
"modified": "2023-03-10T21:30:25Z",
"published": "2023-03-01T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22775"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PVRV-V6WR-F2VV
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2026-07-05 03:30Several web interfaces in D-Link DIR-868LW 1.12b have no authentication requirements for access, allowing for attackers to obtain users' DNS query history.
{
"affected": [],
"aliases": [
"CVE-2021-33259"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-31T19:15:00Z",
"severity": "MODERATE"
},
"details": "Several web interfaces in D-Link DIR-868LW 1.12b have no authentication requirements for access, allowing for attackers to obtain users\u0027 DNS query history.",
"id": "GHSA-pvrv-v6wr-f2vv",
"modified": "2026-07-05T03:30:44Z",
"published": "2022-05-24T19:19:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33259"
},
{
"type": "WEB",
"url": "https://github.com/jayus0821/uai-poc/blob/main/D-Link/DIR-868L/webaccess_UAI.md"
},
{
"type": "WEB",
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"type": "WEB",
"url": "http://d-link.com"
},
{
"type": "WEB",
"url": "http://dir-868lw.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PW4C-H493-RXM2
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:55The vulnerability is to theft of arbitrary files with system privilege in the Screen recording ("com.lge.gametools.gamerecorder") app in the "com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the "onActivityResult()" method. The Screen recording app saves contents of arbitrary URIs to SD card which is a world-readable storage.
{
"affected": [],
"aliases": [
"CVE-2023-44124"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-927"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:35Z",
"severity": "LOW"
},
"details": "The vulnerability is to theft of arbitrary files with system privilege in the Screen recording (\"com.lge.gametools.gamerecorder\") app in the \"com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java\" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the \"onActivityResult()\" method. The Screen recording app saves contents of arbitrary URIs to SD card which is a world-readable storage.",
"id": "GHSA-pw4c-h493-rxm2",
"modified": "2024-04-04T07:55:18Z",
"published": "2023-09-27T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44124"
},
{
"type": "WEB",
"url": "https://lgsecurity.lge.com/bulletins/mobile#updateDetails"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PWCF-P9QX-3948
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-03-21 03:33The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
{
"affected": [],
"aliases": [
"CVE-2019-12928"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-24T11:15:00Z",
"severity": "CRITICAL"
},
"details": "The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.",
"id": "GHSA-pwcf-p9qx-3948",
"modified": "2024-03-21T03:33:40Z",
"published": "2022-05-24T16:48:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12928"
},
{
"type": "WEB",
"url": "https://fakhrizulkifli.github.io/posts/2019/06/05/CVE-2019-12928"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWF7-2P5C-8X94
Vulnerability from github – Published: 2022-05-11 00:00 – Updated: 2025-01-02 21:31Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-22011, CVE-2022-26934.
{
"affected": [],
"aliases": [
"CVE-2022-29112"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-22011, CVE-2022-26934.",
"id": "GHSA-pwf7-2p5c-8x94",
"modified": "2025-01-02T21:31:34Z",
"published": "2022-05-11T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29112"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29112"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29112"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PWFH-3W8F-VWW5
Vulnerability from github – Published: 2021-12-08 00:01 – Updated: 2022-03-31 00:01An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise versions 10.9.0 and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not not disclose features.
{
"affected": [],
"aliases": [
"CVE-2021-29115"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-07T11:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise versions 10.9.0 and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not not disclose features.",
"id": "GHSA-pwfh-3w8f-vww5",
"modified": "2022-03-31T00:01:04Z",
"published": "2021-12-08T00:01:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29115"
},
{
"type": "WEB",
"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PWHP-6H3M-R2XH
Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2023-08-08 15:31In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client.
{
"affected": [],
"aliases": [
"CVE-2021-31814"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-10T17:15:00Z",
"severity": "MODERATE"
},
"details": "In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client.",
"id": "GHSA-pwhp-6h3m-r2xh",
"modified": "2023-08-08T15:31:43Z",
"published": "2022-02-11T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31814"
},
{
"type": "WEB",
"url": "https://advisories.stormshield.eu"
},
{
"type": "WEB",
"url": "https://advisories.stormshield.eu/2021-019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWJC-PM2Q-CPG2
Vulnerability from github – Published: 2022-04-29 00:00 – Updated: 2022-05-07 00:00cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.
{
"affected": [],
"aliases": [
"CVE-2022-29869"
],
"database_specific": {
"cwe_ids": [
"CWE-532",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-28T01:15:00Z",
"severity": "MODERATE"
},
"details": "cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.",
"id": "GHSA-pwjc-pm2q-cpg2",
"modified": "2022-05-07T00:00:56Z",
"published": "2022-04-29T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29869"
},
{
"type": "WEB",
"url": "https://github.com/piastry/cifs-utils/pull/7"
},
{
"type": "WEB",
"url": "https://github.com/piastry/cifs-utils/commit/8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00020.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5WBOLMANBYJILXQKRRK7OCR774PXJAYY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXKZLJYJJEC3TIBFLXUORRMZUKG5W676"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIYZ4L6SLSYJQ446VJAO2VGAESURQNSP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WBOLMANBYJILXQKRRK7OCR774PXJAYY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HXKZLJYJJEC3TIBFLXUORRMZUKG5W676"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QIYZ4L6SLSYJQ446VJAO2VGAESURQNSP"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-05"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5157"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PX37-V4HM-7F6Q
Vulnerability from github – Published: 2024-02-02 03:30 – Updated: 2024-02-02 03:30IBM PowerSC 1.3, 2.0, and 2.1 may allow a remote attacker to view session identifiers passed via URL query strings. IBM X-Force ID: 275110.
{
"affected": [],
"aliases": [
"CVE-2023-50328"
],
"database_specific": {
"cwe_ids": [
"CWE-598",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-02T02:15:16Z",
"severity": "LOW"
},
"details": "IBM PowerSC 1.3, 2.0, and 2.1 may allow a remote attacker to view session identifiers passed via URL query strings. IBM X-Force ID: 275110.\n\n",
"id": "GHSA-px37-v4hm-7f6q",
"modified": "2024-02-02T03:30:32Z",
"published": "2024-02-02T03:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50328"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275110"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7113759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.