CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1252 vulnerabilities reference this CWE, most recent first.
GHSA-MH3H-5C5W-CQH9
Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2024-04-03 23:57Monkey HTTP Daemon has local security bypass
{
"affected": [],
"aliases": [
"CVE-2013-2183"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-10T15:15:00Z",
"severity": "HIGH"
},
"details": "Monkey HTTP Daemon has local security bypass",
"id": "GHSA-mh3h-5c5w-cqh9",
"modified": "2024-04-03T23:57:36Z",
"published": "2022-05-05T00:29:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2183"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2013-2183"
},
{
"type": "WEB",
"url": "https://www.securityfocus.com/bid/60589"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/06/14/12"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/06/14/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MH9H-44JV-CW34
Vulnerability from github – Published: 2024-11-18 06:30 – Updated: 2024-11-18 15:33Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process.
{
"affected": [],
"aliases": [
"CVE-2024-43704"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T05:15:04Z",
"severity": "HIGH"
},
"details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process.",
"id": "GHSA-mh9h-44jv-cw34",
"modified": "2024-11-18T15:33:20Z",
"published": "2024-11-18T06:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43704"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHW5-2MX2-2JH7
Vulnerability from github – Published: 2021-11-24 00:00 – Updated: 2022-01-16 00:01Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-38004"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-23T22:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
"id": "GHSA-mhw5-2mx2-2jh7",
"modified": "2022-01-16T00:01:31Z",
"published": "2021-11-24T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38004"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1227170"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5046"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MJ65-F323-P43C
Vulnerability from github – Published: 2023-12-07 15:30 – Updated: 2025-11-04 21:30SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin credentials.
{
"affected": [],
"aliases": [
"CVE-2023-39171"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-07T15:15:09Z",
"severity": "HIGH"
},
"details": "SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin credentials.",
"id": "GHSA-mj65-f323-p43c",
"modified": "2025-11-04T21:30:50Z",
"published": "2023-12-07T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39171"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2023/Nov/2"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Nov/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJPP-5GG7-6F59
Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-21 00:00Dell PowerScale OneFS 8.2.2 and above contain an elevation of privilege vulnerability. A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE could potentially exploit this vulnerability, leading to elevation of privilege. This could potentially allow users to circumvent PowerScale Compliance Mode guarantees.
{
"affected": [],
"aliases": [
"CVE-2022-24411"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-12T18:15:00Z",
"severity": "HIGH"
},
"details": "Dell PowerScale OneFS 8.2.2 and above contain an elevation of privilege vulnerability. A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE could potentially exploit this vulnerability, leading to elevation of privilege. This could potentially allow users to circumvent PowerScale Compliance Mode guarantees.",
"id": "GHSA-mjpp-5gg7-6f59",
"modified": "2022-04-21T00:00:46Z",
"published": "2022-04-13T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24411"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000196657"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MMC3-FC94-5JRC
Vulnerability from github – Published: 2022-05-19 00:00 – Updated: 2022-05-27 00:01An information disclosure vulnerability in UniverSIS-Students before v1.5.0 allows attackers to obtain sensitive information via a crafted GET request to the endpoint /api/students/me/courses/.
{
"affected": [],
"aliases": [
"CVE-2022-28924"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-18T17:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability in UniverSIS-Students before v1.5.0 allows attackers to obtain sensitive information via a crafted GET request to the endpoint /api/students/me/courses/.",
"id": "GHSA-mmc3-fc94-5jrc",
"modified": "2022-05-27T00:01:19Z",
"published": "2022-05-19T00:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28924"
},
{
"type": "WEB",
"url": "https://suumcuique.org/blog/posts/information-disclosure-vulnerability-universis"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MMFJ-9VC2-FW9P
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-03-21 03:33The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
{
"affected": [],
"aliases": [
"CVE-2019-12929"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-24T11:15:00Z",
"severity": "CRITICAL"
},
"details": "The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.",
"id": "GHSA-mmfj-9vc2-fw9p",
"modified": "2024-03-21T03:33:40Z",
"published": "2022-05-24T16:48:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12929"
},
{
"type": "WEB",
"url": "https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MMJR-5Q74-P3M4
Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-02-25 15:35Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.8.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.9.0"
},
{
"fixed": "8.9.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.8.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "8.9.0"
},
{
"fixed": "8.9.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-13670"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-25T15:35:08Z",
"nvd_published_at": "2022-02-11T16:15:00Z",
"severity": "HIGH"
},
"details": "Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.",
"id": "GHSA-mmjr-5q74-p3m4",
"modified": "2022-02-25T15:35:08Z",
"published": "2022-02-12T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13670"
},
{
"type": "WEB",
"url": "https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2020-011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Resource to Wrong Sphere in Drupal Core"
}
GHSA-MMJR-PQ98-Q2QM
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53A remote bypass of security restrictions vulnerability was identified in HPE Moonshot Provisioning Manager prior to v1.24.
{
"affected": [],
"aliases": [
"CVE-2018-7072"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-06T20:29:00Z",
"severity": "CRITICAL"
},
"details": "A remote bypass of security restrictions vulnerability was identified in HPE Moonshot Provisioning Manager prior to v1.24.",
"id": "GHSA-mmjr-pq98-q2qm",
"modified": "2022-05-13T01:53:16Z",
"published": "2022-05-13T01:53:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7072"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03843en_us"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2018-15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MMPC-GF74-JMCV
Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-29 00:01An information disclosure issue was addressed with improved state management. This issue is fixed in iOS 15.3 and iPadOS 15.3, tvOS 15.3, Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2022-22579"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-18T18:15:00Z",
"severity": "HIGH"
},
"details": "An information disclosure issue was addressed with improved state management. This issue is fixed in iOS 15.3 and iPadOS 15.3, tvOS 15.3, Security Update 2022-001 Catalina, macOS Monterey 12.2, macOS Big Sur 11.6.3. Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution.",
"id": "GHSA-mmpc-gf74-jmcv",
"modified": "2022-03-29T00:01:36Z",
"published": "2022-03-19T00:00:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22579"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213053"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213054"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213055"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213056"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213057"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.