Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-Q72P-4W56-HX7H

Vulnerability from github – Published: 2022-07-22 00:00 – Updated: 2023-07-11 00:16
VLAI
Summary
Hardcoded JWT Token in Lin CMS Spring Boot
Details

An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.talelin:lin-cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-32430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-11T00:16:48Z",
    "nvd_published_at": "2022-07-21T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.",
  "id": "GHSA-q72p-4w56-hx7h",
  "modified": "2023-07-11T00:16:48Z",
  "published": "2022-07-22T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32430"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TaleLin/lin-cms-spring-boot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/resources/application.yml#L43"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20220721190946/https://www.mesec.cn/archives/277"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hardcoded JWT Token in Lin CMS Spring Boot"
}

GHSA-Q73X-XMPW-H2W6

Vulnerability from github – Published: 2022-02-13 00:00 – Updated: 2022-03-17 00:05
VLAI
Details

Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-12T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
  "id": "GHSA-q73x-xmpw-h2w6",
  "modified": "2022-03-17T00:05:36Z",
  "published": "2022-02-13T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0117"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1115847"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q7W9-W25V-6WQM

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-18 00:00
VLAI
Details

The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch other users' data upon a successful login request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-13T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch other users\u0027 data upon a successful login request.",
  "id": "GHSA-q7w9-w25v-6wqm",
  "modified": "2022-09-18T00:00:32Z",
  "published": "2022-09-14T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38770"
    },
    {
      "type": "WEB",
      "url": "https://mojodat-vulnerabilities.netlify.app"
    },
    {
      "type": "WEB",
      "url": "https://transtek.com/mojodat-fixed-assets"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q7XV-26R5-C2H7

Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2022-08-27 00:00
VLAI
Details

Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThemes WPide plugin <= 2.6 at WordPress.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35235"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-23T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThemes WPide plugin \u003c= 2.6 at WordPress.",
  "id": "GHSA-q7xv-26r5-c2h7",
  "modified": "2022-08-27T00:00:56Z",
  "published": "2022-08-24T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35235"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wpide/wordpress-wpide-plugin-2-6-authenticated-arbitrary-file-read-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/wpide/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9GJ-HWHG-7F7H

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01
VLAI
Details

IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to obtain sensitive information or conduct denial of serivce attacks due to open ports. IBM X-Force ID: 201018.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-26T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to obtain sensitive information or conduct denial of serivce attacks due to open ports. IBM X-Force ID: 201018.",
  "id": "GHSA-q9gj-hwhg-7f7h",
  "modified": "2022-07-13T00:01:17Z",
  "published": "2022-05-24T19:12:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29715"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201018"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6483653"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QC86-J87R-2654

Vulnerability from github – Published: 2022-05-13 00:00 – Updated: 2022-06-02 00:00
VLAI
Details

Failure to verify the protocol in SMM may allow an attacker to control the protocol and modify SPI flash resulting in a potential arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-12T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Failure to verify the protocol in SMM may allow an attacker to control the protocol and modify SPI flash resulting in a potential arbitrary code execution.",
  "id": "GHSA-qc86-j87r-2654",
  "modified": "2022-06-02T00:00:39Z",
  "published": "2022-05-13T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26317"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QCCC-5FMC-RM5V

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-07-13 00:01
VLAI
Details

There is an Information Disclosure Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-02T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is an Information Disclosure Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.",
  "id": "GHSA-qccc-5fmc-rm5v",
  "modified": "2022-07-13T00:01:09Z",
  "published": "2022-05-24T19:09:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22446"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2021/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QCPF-R4F6-XPVM

Vulnerability from github – Published: 2023-08-29 00:32 – Updated: 2024-04-04 07:14
VLAI
Details

An issue was discovered in TechView LA-5570 Wireless Gateway 1.0.19_T53, allows physical attackers to gain escalated privileges via a telnet connection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-28T22:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in TechView LA-5570 Wireless Gateway 1.0.19_T53, allows physical attackers to gain escalated privileges via a telnet connection.",
  "id": "GHSA-qcpf-r4f6-xpvm",
  "modified": "2024-04-04T07:14:53Z",
  "published": "2023-08-29T00:32:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34725"
    },
    {
      "type": "WEB",
      "url": "https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725"
    },
    {
      "type": "WEB",
      "url": "https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/174553/TECHView-LA5570-Wireless-Gateway-1.0.19_T53-Traversal-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QCQ8-MGFX-4PFJ

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-19T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow",
  "id": "GHSA-qcq8-mgfx-4pfj",
  "modified": "2022-05-24T19:11:40Z",
  "published": "2022-05-24T19:11:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29280"
    },
    {
      "type": "WEB",
      "url": "https://github.com/deadlysnowman3308/upgraded-ARP-Poisoning"
    },
    {
      "type": "WEB",
      "url": "https://hackingvila.wordpress.com/2021/04/28/upgraded-arp-poisoning-tool"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QF8X-C298-X5PJ

Vulnerability from github – Published: 2022-01-20 00:00 – Updated: 2023-08-08 15:31
VLAI
Details

An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-19T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk.",
  "id": "GHSA-qf8x-c298-x5pj",
  "modified": "2023-08-08T15:31:37Z",
  "published": "2022-01-20T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44837"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/rntcruz23/8a91e6366a8247a0692c8ce2dfe87f21"
    },
    {
      "type": "WEB",
      "url": "https://www.deltarm.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.