Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-MH9H-44JV-CW34

Vulnerability from github – Published: 2024-11-18 06:30 – Updated: 2024-11-18 15:33
VLAI
Details

Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T05:15:04Z",
    "severity": "HIGH"
  },
  "details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process.",
  "id": "GHSA-mh9h-44jv-cw34",
  "modified": "2024-11-18T15:33:20Z",
  "published": "2024-11-18T06:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43704"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MHW5-2MX2-2JH7

Vulnerability from github – Published: 2021-11-24 00:00 – Updated: 2022-01-16 00:01
VLAI
Details

Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-23T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
  "id": "GHSA-mhw5-2mx2-2jh7",
  "modified": "2022-01-16T00:01:31Z",
  "published": "2021-11-24T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38004"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1227170"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5046"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MJ65-F323-P43C

Vulnerability from github – Published: 2023-12-07 15:30 – Updated: 2025-11-04 21:30
VLAI
Details

SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-07T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin credentials.",
  "id": "GHSA-mj65-f323-p43c",
  "modified": "2025-11-04T21:30:50Z",
  "published": "2023-12-07T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39171"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2023/Nov/2"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Nov/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJPP-5GG7-6F59

Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-21 00:00
VLAI
Details

Dell PowerScale OneFS 8.2.2 and above contain an elevation of privilege vulnerability. A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE could potentially exploit this vulnerability, leading to elevation of privilege. This could potentially allow users to circumvent PowerScale Compliance Mode guarantees.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-12T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell PowerScale OneFS 8.2.2 and above contain an elevation of privilege vulnerability. A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE could potentially exploit this vulnerability, leading to elevation of privilege. This could potentially allow users to circumvent PowerScale Compliance Mode guarantees.",
  "id": "GHSA-mjpp-5gg7-6f59",
  "modified": "2022-04-21T00:00:46Z",
  "published": "2022-04-13T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24411"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000196657"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MMC3-FC94-5JRC

Vulnerability from github – Published: 2022-05-19 00:00 – Updated: 2022-05-27 00:01
VLAI
Details

An information disclosure vulnerability in UniverSIS-Students before v1.5.0 allows attackers to obtain sensitive information via a crafted GET request to the endpoint /api/students/me/courses/.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-18T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability in UniverSIS-Students before v1.5.0 allows attackers to obtain sensitive information via a crafted GET request to the endpoint /api/students/me/courses/.",
  "id": "GHSA-mmc3-fc94-5jrc",
  "modified": "2022-05-27T00:01:19Z",
  "published": "2022-05-19T00:00:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28924"
    },
    {
      "type": "WEB",
      "url": "https://suumcuique.org/blog/posts/information-disclosure-vulnerability-universis"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MMFJ-9VC2-FW9P

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-03-21 03:33
VLAI
Details

The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-24T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.",
  "id": "GHSA-mmfj-9vc2-fw9p",
  "modified": "2024-03-21T03:33:40Z",
  "published": "2022-05-24T16:48:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12929"
    },
    {
      "type": "WEB",
      "url": "https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MMJR-5Q74-P3M4

Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-02-25 15:35
VLAI
Summary
Exposure of Resource to Wrong Sphere in Drupal Core
Details

Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.9.0"
            },
            {
              "fixed": "8.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.9.0"
            },
            {
              "fixed": "8.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-13670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-25T15:35:08Z",
    "nvd_published_at": "2022-02-11T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.",
  "id": "GHSA-mmjr-5q74-p3m4",
  "modified": "2022-02-25T15:35:08Z",
  "published": "2022-02-12T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2020-011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Resource to Wrong Sphere in Drupal Core"
}

GHSA-MMJR-PQ98-Q2QM

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

A remote bypass of security restrictions vulnerability was identified in HPE Moonshot Provisioning Manager prior to v1.24.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7072"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-06T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A remote bypass of security restrictions vulnerability was identified in HPE Moonshot Provisioning Manager prior to v1.24.",
  "id": "GHSA-mmjr-pq98-q2qm",
  "modified": "2022-05-13T01:53:16Z",
  "published": "2022-05-13T01:53:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7072"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03843en_us"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2018-15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MMPC-GF74-JMCV

Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-29 00:01
VLAI
Details

An information disclosure issue was addressed with improved state management. This issue is fixed in iOS 15.3 and iPadOS 15.3, tvOS 15.3, Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-18T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "An information disclosure issue was addressed with improved state management. This issue is fixed in iOS 15.3 and iPadOS 15.3, tvOS 15.3, Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution.",
  "id": "GHSA-mmpc-gf74-jmcv",
  "modified": "2022-03-29T00:01:36Z",
  "published": "2022-03-19T00:00:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22579"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213053"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213054"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213055"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213056"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213057"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MMW9-5M6W-W9P6

Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-27 00:00
VLAI
Details

The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-18T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen.",
  "id": "GHSA-mmw9-5m6w-w9p6",
  "modified": "2022-03-27T00:00:45Z",
  "published": "2022-03-19T00:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22652"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213182"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.