Common Weakness Enumeration

CWE-749

Allowed

Exposed Dangerous Method or Function

Abstraction: Base · Status: Incomplete

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

303 vulnerabilities reference this CWE, most recent first.

GHSA-XGQ5-8XJQ-968V

Vulnerability from github – Published: 2025-07-01 15:31 – Updated: 2025-07-01 15:31
VLAI
Details

A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-01T14:15:38Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial of service",
  "id": "GHSA-xgq5-8xjq-968v",
  "modified": "2025-07-01T15:31:09Z",
  "published": "2025-07-01T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37097"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04878en_us\u0026docLocale=en_US"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2025-15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XV6G-6G23-79W2

Vulnerability from github – Published: 2023-03-29 21:30 – Updated: 2023-04-06 15:30
VLAI
Details

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.3.101. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-29T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.3.101. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.",
  "id": "GHSA-xv6g-6g23-79w2",
  "modified": "2023-04-06T15:30:18Z",
  "published": "2023-03-29T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36983"
    },
    {
      "type": "WEB",
      "url": "https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-788"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVPW-PP3C-GX2X

Vulnerability from github – Published: 2025-12-24 00:30 – Updated: 2025-12-24 00:30
VLAI
Details

RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27677.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-749"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-23T22:15:50Z",
    "severity": "HIGH"
  },
  "details": "RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27677.",
  "id": "GHSA-xvpw-pp3c-gx2x",
  "modified": "2025-12-24T00:30:16Z",
  "published": "2025-12-24T00:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14495"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1169"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.

Mitigation
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:
  • Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
  • accessible to all users
  • restricted to a small set of privileged users
  • prevented from being directly accessible at all
CAPEC-500: WebView Injection

An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.