Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1248 vulnerabilities reference this CWE, most recent first.

GHSA-WXM4-276X-4V9J

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-07-13 00:01
VLAI
Details

Improper validation of kernel buffer address while copying information back to user buffer can lead to kernel memory information exposure to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1968"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-20T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper validation of kernel buffer address while copying information back to user buffer can lead to kernel memory information exposure to user space in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables",
  "id": "GHSA-wxm4-276x-4v9j",
  "modified": "2022-07-13T00:01:03Z",
  "published": "2022-05-24T19:18:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1968"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/october-2021-bulletin"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/172856/Qualcomm-NPU-Use-After-Free-Information-Leak.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXP7-94M7-556Q

Vulnerability from github – Published: 2023-07-14 00:30 – Updated: 2024-04-04 06:07
VLAI
Details

An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T22:15:09Z",
    "severity": "HIGH"
  },
  "details": "An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory",
  "id": "GHSA-wxp7-94m7-556q",
  "modified": "2024-04-04T06:07:44Z",
  "published": "2023-07-14T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37599"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sahiloj/CVE-2023-37599"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2V4-6R37-4QQ5

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-07-13 00:00
VLAI
Details

Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-06T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.",
  "id": "GHSA-x2v4-6r37-4qq5",
  "modified": "2022-07-13T00:00:50Z",
  "published": "2022-05-24T19:01:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28012"
    },
    {
      "type": "WEB",
      "url": "https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28012-CLOSE.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X369-MCW8-8RVJ

Vulnerability from github – Published: 2026-03-04 18:18 – Updated: 2026-03-05 15:26
VLAI
Summary
Dark Reader gives users the ability to request style sheets from local web servers
Details

Description

Dark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example http://localhost:8080/style.css, If an address was available and returned a text/css content type.

Patches

The problem was fixed in version 4.9.117, released on December 3, 2025. Most users received the update automatically. Users running manual builds must upgrade to version 4.9.117 or later.

The installed extension version number can be verified in Dark Reader's menu (More > All settings > About), browser settings, chrome://extensions or about:addons pages.

Users are encouraged not to disable automatic extension updates and use the latest browser version, as browser releases typically include multiple security fixes of varying severity.

NPM package

The issue does not affect developers using the darkreader NPM package for website integration. Developers using the setFetchMethod() API must ensure the cross-origin requests are restricted to the intended scope.

Custom forks

Developers using custom forks of earlier versions of Dark Reader to build other extensions, or integrating it into their apps or browsers, should review their implementation to ensure cross-origin requests are handled securely.

Acknowledgements

Security research performed by Brian Carpenter - Deep Fork Cyber.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "darkreader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.117"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-346",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T18:18:23Z",
    "nvd_published_at": "2026-03-04T22:16:11Z",
    "severity": "LOW"
  },
  "details": "### Description\nDark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example `http://localhost:8080/style.css`, If an address was available and returned a `text/css` content type.\n\n### Patches\nThe problem was fixed in version 4.9.117, released on December 3, 2025. Most users received the update automatically. Users running manual builds must upgrade to version 4.9.117 or later.\n\nThe installed extension version number can be verified in Dark Reader\u0027s menu (More \u003e All settings \u003e About), browser settings, `chrome://extensions` or `about:addons` pages.\n\nUsers are encouraged not to disable automatic extension updates and use the latest browser version, as browser releases typically include multiple security fixes of varying severity.\n\n### NPM package\n\nThe issue does not affect developers using the `darkreader` NPM package for website integration. Developers using the `setFetchMethod()` API must ensure the cross-origin requests are restricted to the intended scope.\n\n### Custom forks\n\nDevelopers using custom forks of earlier versions of Dark Reader to build other extensions, or integrating it into their apps or browsers, should review their implementation to ensure cross-origin requests are handled securely.\n\n### Acknowledgements\nSecurity research performed by [Brian Carpenter](https://x.com/geeknik) - [Deep Fork Cyber](https://deepforkcyber.com/).",
  "id": "GHSA-x369-mcw8-8rvj",
  "modified": "2026-03-05T15:26:18Z",
  "published": "2026-03-04T18:18:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/darkreader/darkreader/security/advisories/GHSA-x369-mcw8-8rvj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68467"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/darkreader/darkreader"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dark Reader gives users the ability to request style sheets from local web servers"
}

GHSA-X386-HM2P-7Q2H

Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-12 00:00
VLAI
Details

Exposure of Sensitive Information vulnerability in Samsung Account prior to version 13.2.00.6 allows attacker to access sensitive information via onActivityResult.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-07T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Exposure of Sensitive Information vulnerability in Samsung Account prior to version 13.2.00.6 allows attacker to access sensitive information via onActivityResult.",
  "id": "GHSA-x386-hm2p-7q2h",
  "modified": "2022-06-12T00:00:46Z",
  "published": "2022-06-08T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30732"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3MM-8FP8-Q5GJ

Vulnerability from github – Published: 2022-05-11 00:01 – Updated: 2025-01-02 21:31
VLAI
Details

Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-26934, CVE-2022-29112.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-26934, CVE-2022-29112.",
  "id": "GHSA-x3mm-8fp8-q5gj",
  "modified": "2025-01-02T21:31:32Z",
  "published": "2022-05-11T00:01:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22011"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22011"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3P3-X38C-J2C6

Vulnerability from github – Published: 2022-11-25 18:30 – Updated: 2022-11-29 21:30
VLAI
Details

PHPGurukul Blood Donor Management System 1.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, delete the users, add and manage Blood Group, and Submit Report.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-25T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "PHPGurukul Blood Donor Management System 1.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, delete the users, add and manage Blood Group, and Submit Report.",
  "id": "GHSA-x3p3-x38c-j2c6",
  "modified": "2022-11-29T21:30:26Z",
  "published": "2022-11-25T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38813"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1iMswKzoUvindXUGh1cuAmi-0R84tLDaH/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RashidKhanPathan/CVE-2022-38813"
    },
    {
      "type": "WEB",
      "url": "https://ihexcoder.wixsite.com/secresearch/post/cve-2022-38813-privilege-escalations-in-blood-donor-management-system-v1-0"
    },
    {
      "type": "WEB",
      "url": "https://phpgurukul.com/blood-donor-management-system-using-codeigniter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3V8-G92V-WP97

Vulnerability from github – Published: 2021-12-16 00:02 – Updated: 2023-08-08 15:31
VLAI
Details

Visual Basic for Applications Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Visual Basic for Applications Information Disclosure Vulnerability",
  "id": "GHSA-x3v8-g92v-wp97",
  "modified": "2023-08-08T15:31:24Z",
  "published": "2021-12-16T00:02:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42295"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42295"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X444-P8VV-928W

Vulnerability from github – Published: 2023-02-27 15:30 – Updated: 2023-03-09 15:30
VLAI
Details

Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the "Regenerate Invite Id" API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-27T15:15:00Z",
    "severity": "LOW"
  },
  "details": "Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the \"Regenerate Invite Id\" API endpoint, allowing an attacker with team admin privileges to learn the team owner\u0027s email address in the response.",
  "id": "GHSA-x444-p8vv-928w",
  "modified": "2023-03-09T15:30:50Z",
  "published": "2023-02-27T15:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27265"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X446-3XHQ-5XFP

Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2022-04-26 13:03
VLAI
Summary
Exposure of Resource to Wrong Sphere in Simple-Wayland-HotKey-Daemon
Details

SWHKD 1.1.5 allows arbitrary file-existence tests via the -c option.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "Simple-Wayland-HotKey-Daemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-27814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-26T13:03:51Z",
    "nvd_published_at": "2022-04-14T17:15:00Z",
    "severity": "LOW"
  },
  "details": "SWHKD 1.1.5 allows arbitrary file-existence tests via the -c option.",
  "id": "GHSA-x446-3xhq-5xfp",
  "modified": "2022-04-26T13:03:51Z",
  "published": "2022-04-15T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27814"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/waycrate/swhkd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/waycrate/swhkd/releases"
    },
    {
      "type": "WEB",
      "url": "https://github.com/waycrate/swhkd/releases/tag/1.2.0"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2022/04/14/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Resource to Wrong Sphere in Simple-Wayland-HotKey-Daemon"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.