CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-Q72P-4W56-HX7H
Vulnerability from github – Published: 2022-07-22 00:00 – Updated: 2023-07-11 00:16An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.github.talelin:lin-cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-32430"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-11T00:16:48Z",
"nvd_published_at": "2022-07-21T16:15:00Z",
"severity": "HIGH"
},
"details": "An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.",
"id": "GHSA-q72p-4w56-hx7h",
"modified": "2023-07-11T00:16:48Z",
"published": "2022-07-22T00:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32430"
},
{
"type": "PACKAGE",
"url": "https://github.com/TaleLin/lin-cms-spring-boot"
},
{
"type": "WEB",
"url": "https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/resources/application.yml#L43"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20220721190946/https://www.mesec.cn/archives/277"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hardcoded JWT Token in Lin CMS Spring Boot"
}
GHSA-Q73X-XMPW-H2W6
Vulnerability from github – Published: 2022-02-13 00:00 – Updated: 2022-03-17 00:05Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-0117"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-12T00:15:00Z",
"severity": "MODERATE"
},
"details": "Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
"id": "GHSA-q73x-xmpw-h2w6",
"modified": "2022-03-17T00:05:36Z",
"published": "2022-02-13T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0117"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1115847"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q7W9-W25V-6WQM
Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-18 00:00The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch other users' data upon a successful login request.
{
"affected": [],
"aliases": [
"CVE-2022-38770"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-13T23:15:00Z",
"severity": "MODERATE"
},
"details": "The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch other users\u0027 data upon a successful login request.",
"id": "GHSA-q7w9-w25v-6wqm",
"modified": "2022-09-18T00:00:32Z",
"published": "2022-09-14T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38770"
},
{
"type": "WEB",
"url": "https://mojodat-vulnerabilities.netlify.app"
},
{
"type": "WEB",
"url": "https://transtek.com/mojodat-fixed-assets"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q7XV-26R5-C2H7
Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2022-08-27 00:00Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThemes WPide plugin <= 2.6 at WordPress.
{
"affected": [],
"aliases": [
"CVE-2022-35235"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-23T16:15:00Z",
"severity": "MODERATE"
},
"details": "Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThemes WPide plugin \u003c= 2.6 at WordPress.",
"id": "GHSA-q7xv-26r5-c2h7",
"modified": "2022-08-27T00:00:56Z",
"published": "2022-08-24T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35235"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wpide/wordpress-wpide-plugin-2-6-authenticated-arbitrary-file-read-vulnerability"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/wpide/#developers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q9GJ-HWHG-7F7H
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to obtain sensitive information or conduct denial of serivce attacks due to open ports. IBM X-Force ID: 201018.
{
"affected": [],
"aliases": [
"CVE-2021-29715"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-26T20:15:00Z",
"severity": "CRITICAL"
},
"details": "IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to obtain sensitive information or conduct denial of serivce attacks due to open ports. IBM X-Force ID: 201018.",
"id": "GHSA-q9gj-hwhg-7f7h",
"modified": "2022-07-13T00:01:17Z",
"published": "2022-05-24T19:12:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29715"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201018"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6483653"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC86-J87R-2654
Vulnerability from github – Published: 2022-05-13 00:00 – Updated: 2022-06-02 00:00Failure to verify the protocol in SMM may allow an attacker to control the protocol and modify SPI flash resulting in a potential arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2021-26317"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-12T19:15:00Z",
"severity": "HIGH"
},
"details": "Failure to verify the protocol in SMM may allow an attacker to control the protocol and modify SPI flash resulting in a potential arbitrary code execution.",
"id": "GHSA-qc86-j87r-2654",
"modified": "2022-06-02T00:00:39Z",
"published": "2022-05-13T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26317"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCCC-5FMC-RM5V
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-13 00:01There is an Information Disclosure Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.
{
"affected": [],
"aliases": [
"CVE-2021-22446"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-02T18:15:00Z",
"severity": "HIGH"
},
"details": "There is an Information Disclosure Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.",
"id": "GHSA-qccc-5fmc-rm5v",
"modified": "2022-07-13T00:01:09Z",
"published": "2022-05-24T19:09:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22446"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2021/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCPF-R4F6-XPVM
Vulnerability from github – Published: 2023-08-29 00:32 – Updated: 2024-04-04 07:14An issue was discovered in TechView LA-5570 Wireless Gateway 1.0.19_T53, allows physical attackers to gain escalated privileges via a telnet connection.
{
"affected": [],
"aliases": [
"CVE-2023-34725"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-28T22:15:08Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in TechView LA-5570 Wireless Gateway 1.0.19_T53, allows physical attackers to gain escalated privileges via a telnet connection.",
"id": "GHSA-qcpf-r4f6-xpvm",
"modified": "2024-04-04T07:14:53Z",
"published": "2023-08-29T00:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34725"
},
{
"type": "WEB",
"url": "https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725"
},
{
"type": "WEB",
"url": "https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/174553/TECHView-LA5570-Wireless-Gateway-1.0.19_T53-Traversal-Privilege-Escalation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCQ8-MGFX-4PFJ
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow
{
"affected": [],
"aliases": [
"CVE-2021-29280"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-19T16:15:00Z",
"severity": "MODERATE"
},
"details": "In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow",
"id": "GHSA-qcq8-mgfx-4pfj",
"modified": "2022-05-24T19:11:40Z",
"published": "2022-05-24T19:11:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29280"
},
{
"type": "WEB",
"url": "https://github.com/deadlysnowman3308/upgraded-ARP-Poisoning"
},
{
"type": "WEB",
"url": "https://hackingvila.wordpress.com/2021/04/28/upgraded-arp-poisoning-tool"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QF8X-C298-X5PJ
Vulnerability from github – Published: 2022-01-20 00:00 – Updated: 2023-08-08 15:31An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk.
{
"affected": [],
"aliases": [
"CVE-2021-44837"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk.",
"id": "GHSA-qf8x-c298-x5pj",
"modified": "2023-08-08T15:31:37Z",
"published": "2022-01-20T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44837"
},
{
"type": "WEB",
"url": "https://gist.github.com/rntcruz23/8a91e6366a8247a0692c8ce2dfe87f21"
},
{
"type": "WEB",
"url": "https://www.deltarm.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.