Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-QVPM-G7WJ-8G8G

Vulnerability from github – Published: 2022-03-22 00:00 – Updated: 2026-07-05 03:30
VLAI
Details

BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23345"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-21T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control.",
  "id": "GHSA-qvpm-g7wj-8g8g",
  "modified": "2026-07-05T03:30:46Z",
  "published": "2022-03-22T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23345"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23345"
    },
    {
      "type": "WEB",
      "url": "https://www.bigantsoft.com"
    },
    {
      "type": "WEB",
      "url": "http://bigant.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QVXP-WQPJ-8GWF

Vulnerability from github – Published: 2022-03-12 00:00 – Updated: 2022-03-19 00:01
VLAI
Details

Improper access control vulnerability in McAfee WebAdvisor Chrome and Edge browser extensions up to 8.1.0.1895 allows a remote attacker to gain access to McAfee WebAdvisor settings and other details about the user’s system. This could lead to unexpected behaviors including; settings being changed, fingerprinting of the system leading to targeted scams, and not triggering the malicious software if McAfee software is detected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-10T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper access control vulnerability in McAfee WebAdvisor Chrome and Edge browser extensions up to 8.1.0.1895 allows a remote attacker to gain access to McAfee WebAdvisor settings and other details about the user\u2019s system. This could lead to unexpected behaviors including; settings being changed, fingerprinting of the system leading to targeted scams, and not triggering the malicious software if McAfee software is detected.",
  "id": "GHSA-qvxp-wqpj-8gwf",
  "modified": "2022-03-19T00:01:23Z",
  "published": "2022-03-12T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0815"
    },
    {
      "type": "WEB",
      "url": "https://service.mcafee.com/?articleId=TS103273\u0026page=shell\u0026shell=article-view"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QW42-C99X-MHGJ

Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2022-02-24 00:01
VLAI
Details

Splashtop Streamer through 3.4.8.3 creates a Temporary File in a Directory with Insecure Permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42712"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-15T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Splashtop Streamer through 3.4.8.3 creates a Temporary File in a Directory with Insecure Permissions.",
  "id": "GHSA-qw42-c99x-mhgj",
  "modified": "2022-02-24T00:01:09Z",
  "published": "2022-02-16T00:01:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42712"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0007/MNDT-2022-0007.md"
    },
    {
      "type": "WEB",
      "url": "https://www.splashtop.com/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QW6V-CQCW-98JC

Vulnerability from github – Published: 2023-09-15 03:30 – Updated: 2024-01-25 18:30
VLAI
Details

A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) message processing feature of Cisco Jabber could allow an authenticated, remote attacker to manipulate the content of XMPP messages that are used by the affected application. This vulnerability is due to the improper handling of nested XMPP messages within requests that are sent to the Cisco Jabber client software. An attacker could exploit this vulnerability by connecting to an XMPP messaging server and sending crafted XMPP messages to an affected Jabber client. A successful exploit could allow the attacker to manipulate the content of XMPP messages, possibly allowing the attacker to cause the Jabber client application to perform unsafe actions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20917"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-15T03:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) message processing feature of Cisco Jabber could allow an authenticated, remote attacker to manipulate the content of XMPP messages that are used by the affected application.\n This vulnerability is due to the improper handling of nested XMPP messages within requests that are sent to the Cisco Jabber client software. An attacker could exploit this vulnerability by connecting to an XMPP messaging server and sending crafted XMPP messages to an affected Jabber client. A successful exploit could allow the attacker to manipulate the content of XMPP messages, possibly allowing the attacker to cause the Jabber client application to perform unsafe actions.",
  "id": "GHSA-qw6v-cqcw-98jc",
  "modified": "2024-01-25T18:30:44Z",
  "published": "2023-09-15T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20917"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-xmpp-Ne9SCM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QW79-R33F-9PVJ

Vulnerability from github – Published: 2026-06-03 00:30 – Updated: 2026-06-03 21:30
VLAI
Details

Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise software integrity via USB interface manipulation. Attackers can exploit the unprotected USB interfaces to impair therapy functions, manipulate device-processed data, or leverage the device as a pivot point for broader network-based attacks when connected to a network or Dräger Service Connect.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-02T22:16:15Z",
    "severity": "HIGH"
  },
  "details": "Dr\u00e4ger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise software integrity via USB interface manipulation. Attackers can exploit the unprotected USB interfaces to impair therapy functions, manipulate device-processed data, or leverage the device as a pivot point for broader network-based attacks when connected to a network or Dr\u00e4ger Service Connect.",
  "id": "GHSA-qw79-r33f-9pvj",
  "modified": "2026-06-03T21:30:28Z",
  "published": "2026-06-03T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15653"
    },
    {
      "type": "WEB",
      "url": "https://static.draeger.com/security/download/Product-Security-Advisory-25-349-Zeus.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.draeger.com/security"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/dr-ger-zeus-ie-anesthesia-workstation-usb-interface-privilege-escalation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QWWV-HC99-6F5P

Vulnerability from github – Published: 2026-06-19 00:31 – Updated: 2026-06-19 00:31
VLAI
Details

PraisonAI before 1.5.115 contains an information disclosure vulnerability in the MultiAgentLedger component that allows attackers to access sensitive data by registering agents with duplicate IDs. Attackers can exploit the lack of agent ID uniqueness enforcement to share ledger instances and expose system prompts and conversation history between agents.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-18T23:16:19Z",
    "severity": "HIGH"
  },
  "details": "PraisonAI before 1.5.115 contains an information disclosure vulnerability in the MultiAgentLedger component that allows attackers to access sensitive data by registering agents with duplicate IDs. Attackers can exploit the lack of agent ID uniqueness enforcement to share ledger instances and expose system prompts and conversation history between agents.",
  "id": "GHSA-qwwv-hc99-6f5p",
  "modified": "2026-06-19T00:31:37Z",
  "published": "2026-06-19T00:31:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-766v-q9x3-g744"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56077"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/praisonai-information-disclosure-via-shared-multiagentledger-state"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QX39-7CF8-2GF6

Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-16 00:00
VLAI
Details

Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality.",
  "id": "GHSA-qx39-7cf8-2gf6",
  "modified": "2022-07-16T00:00:21Z",
  "published": "2022-07-13T00:01:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40012"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/7"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/8"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202208-0000001363876177"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QX73-VWH5-XJPC

Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-07 00:00
VLAI
Details

A CWE-668 Exposure of Resource to Wrong Sphere vulnerability exists that could cause users to be misled, hiding alarms, showing the wrong server connection option or the wrong control request when a mobile device has been compromised by a malicious application. Affected Product: Geo SCADA Mobile (Build 222 and prior)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CWE-668 Exposure of Resource to Wrong Sphere vulnerability exists that could cause users to be misled, hiding alarms, showing the wrong server connection option or the wrong control request when a mobile device has been compromised by a malicious application. Affected Product: Geo SCADA Mobile (Build 222 and prior)",
  "id": "GHSA-qx73-vwh5-xjpc",
  "modified": "2022-07-07T00:00:25Z",
  "published": "2022-06-25T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32530"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-02_Geo_SCADA_Android_App_Security_Notification.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QX9H-HX3F-JR6W

Vulnerability from github – Published: 2023-06-06 18:30 – Updated: 2024-04-04 04:36
VLAI
Details

Landscape's server-status page exposed sensitive system information. This data leak included GET requests which contain information to attack and leak further information from the Landscape API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32550"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-497",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-06T16:15:10Z",
    "severity": "HIGH"
  },
  "details": "Landscape\u0027s server-status page exposed sensitive system information. This data leak included GET requests which contain information to attack and leak further information from the Landscape API.",
  "id": "GHSA-qx9h-hx3f-jr6w",
  "modified": "2024-04-04T04:36:06Z",
  "published": "2023-06-06T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32550"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/landscape/+bug/1929037"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QXXC-7MQ4-MF79

Vulnerability from github – Published: 2023-01-12 06:30 – Updated: 2023-01-20 22:03
VLAI
Summary
Java Merge-sort Insecure Temporary File vulnerability
Details

Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.util:java-merge-sort"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-12T20:55:23Z",
    "nvd_published_at": "2023-01-12T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package `com.fasterxml.util:java-merge-sort` before 1.1.0 are vulnerable to Insecure Temporary File in the `StdTempFileProvider()` function in `StdTempFileProvider.java`, which uses the permissive `File.createTempFile()` function, exposing temporary file contents.",
  "id": "GHSA-qxxc-7mq4-mf79",
  "modified": "2023-01-20T22:03:35Z",
  "published": "2023-01-12T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24913"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cowtowncoder/java-merge-sort/pull/21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cowtowncoder/java-merge-sort/commit/450fdee70b5f181c2afc5d817f293efa1a543902"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cowtowncoder/java-merge-sort"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLUTIL-3227926"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Java Merge-sort Insecure Temporary File vulnerability"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.