Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-MRMF-7953-R786

Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-24 00:00
VLAI
Details

A vulnerability in live_check.shtml of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to obtain sensitive router information via execution of the exec cmd function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-14T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in live_check.shtml of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to obtain sensitive router information via execution of the exec cmd function.",
  "id": "GHSA-mrmf-7953-r786",
  "modified": "2022-06-24T00:00:32Z",
  "published": "2022-06-15T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31845"
    },
    {
      "type": "WEB",
      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3__check_live.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MV8V-WVHP-6WJW

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-07-13 00:00
VLAI
Details

In startIpClient of ClientModeImpl.java, there is a possible identifier which could be used to track a device. This could lead to remote information disclosure to a proximal attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-154114734

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-11T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "In startIpClient of ClientModeImpl.java, there is a possible identifier which could be used to track a device. This could lead to remote information disclosure to a proximal attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-154114734",
  "id": "GHSA-mv8v-wvhp-6wjw",
  "modified": "2022-07-13T00:00:59Z",
  "published": "2022-05-24T19:05:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0466"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2021-05-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVHG-CG8P-75PQ

Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2023-08-08 15:31
VLAI
Details

Product: AndroidVersions: Android kernelAndroid ID: A-201537251References: N/A

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Product: AndroidVersions: Android kernelAndroid ID: A-201537251References: N/A",
  "id": "GHSA-mvhg-cg8p-75pq",
  "modified": "2023-08-08T15:31:25Z",
  "published": "2021-12-16T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39646"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVVM-XJVF-379M

Vulnerability from github – Published: 2022-03-25 00:00 – Updated: 2022-03-30 00:00
VLAI
Details

OpenEMR v6.0.0 was discovered to contain an incorrect access control issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-23T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OpenEMR v6.0.0 was discovered to contain an incorrect access control issue.",
  "id": "GHSA-mvvm-xjvf-379m",
  "modified": "2022-03-30T00:00:50Z",
  "published": "2022-03-25T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25041"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openemr"
    },
    {
      "type": "WEB",
      "url": "https://securityforeveryone.com/blog/openemr-0-day-incorrect-access-control-vulnerability-cve-2022-25041"
    },
    {
      "type": "WEB",
      "url": "https://www.open-emr.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVX3-H3XQ-HVWM

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46
VLAI
Details

A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged applications to access contact information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-09T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged applications to access contact information.",
  "id": "GHSA-mvx3-h3xq-hvwm",
  "modified": "2022-05-24T17:46:59Z",
  "published": "2022-05-24T17:46:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25357"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MW57-GV8V-CJ4R

Vulnerability from github – Published: 2024-01-09 18:30 – Updated: 2024-01-09 18:30
VLAI
Details

Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-09T18:15:52Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability",
  "id": "GHSA-mw57-gv8v-cj4r",
  "modified": "2024-01-09T18:30:29Z",
  "published": "2024-01-09T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20692"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20692"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MW9G-699G-M8GM

Vulnerability from github – Published: 2021-12-07 00:00 – Updated: 2022-05-14 00:03
VLAI
Details

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Samba file sharing service allowed anonymous read/write access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-06T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Samba file sharing service allowed anonymous read/write access.",
  "id": "GHSA-mw9g-699g-m8gm",
  "modified": "2022-05-14T00:03:45Z",
  "published": "2021-12-07T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43039"
    },
    {
      "type": "WEB",
      "url": "https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961"
    },
    {
      "type": "WEB",
      "url": "https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1"
    },
    {
      "type": "WEB",
      "url": "https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MWJC-697V-R7M7

Vulnerability from github – Published: 2023-09-14 12:30 – Updated: 2024-04-04 07:40
VLAI
Details

A vulnerability has been identified in SIMATIC PCS neo (Administration Console) V4.0 (All versions), SIMATIC PCS neo (Administration Console) V4.0 Update 1 (All versions). The affected application leaks Windows admin credentials. An attacker with local access to the Administration Console could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-538",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-14T11:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SIMATIC PCS neo (Administration Console) V4.0 (All versions), SIMATIC PCS neo (Administration Console) V4.0 Update 1 (All versions). The affected application leaks Windows admin credentials. An attacker with local access to the Administration Console could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems.",
  "id": "GHSA-mwjc-697v-r7m7",
  "modified": "2024-04-04T07:40:13Z",
  "published": "2023-09-14T12:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38558"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-646240.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MWPQ-GG3Q-W4QR

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-07-13 00:01
VLAI
Details

An issue existed in determining cache occupancy. The issue was addressed through improved logic. This issue is fixed in macOS Big Sur 11.3. A malicious website may be able to track users by setting state in a cache.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1861"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-08T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue existed in determining cache occupancy. The issue was addressed through improved logic. This issue is fixed in macOS Big Sur 11.3. A malicious website may be able to track users by setting state in a cache.",
  "id": "GHSA-mwpq-gg3q-w4qr",
  "modified": "2022-07-13T00:01:01Z",
  "published": "2022-05-24T19:13:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1861"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MWVX-WP54-2XV5

Vulnerability from github – Published: 2023-06-30 06:30 – Updated: 2024-04-04 05:18
VLAI
Details

Exposure of resource to wrong sphere issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow a network-adjacent attacker to use functions originally available after login without logging in.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32613"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-30T05:15:09Z",
    "severity": "HIGH"
  },
  "details": "Exposure of resource to wrong sphere issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow a network-adjacent attacker to use functions originally available after login without logging in.",
  "id": "GHSA-mwvx-wp54-2xv5",
  "modified": "2024-04-04T05:18:41Z",
  "published": "2023-06-30T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32613"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN78634340"
    },
    {
      "type": "WEB",
      "url": "https://www.wavlink.com/en_us/firmware/details/932108ffc5.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.