CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1252 vulnerabilities reference this CWE, most recent first.
GHSA-MMW9-5M6W-W9P6
Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-27 00:00The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen.
{
"affected": [],
"aliases": [
"CVE-2022-22652"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-18T18:15:00Z",
"severity": "MODERATE"
},
"details": "The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel. This issue is fixed in iOS 15.4 and iPadOS 15.4. A person with physical access may be able to view and modify the carrier account information and settings from the lock screen.",
"id": "GHSA-mmw9-5m6w-w9p6",
"modified": "2022-03-27T00:00:45Z",
"published": "2022-03-19T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22652"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213182"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MP3J-MVWR-J4C4
Vulnerability from github – Published: 2023-04-13 06:30 – Updated: 2024-04-04 03:25KYOCERA Mobile Print' v3.2.0.230119 and earlier, 'UTAX/TA MobilePrint' v3.2.0.230119 and earlier, and 'Olivetti Mobile Print' v3.2.0.230119 and earlier are vulnerable to improper intent handling. When a malicious app is installed on the victim user's Android device, the app may send an intent and direct the affected app to download malicious files or apps to the device without notification.
{
"affected": [],
"aliases": [
"CVE-2023-25954"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-13T04:15:00Z",
"severity": "MODERATE"
},
"details": "KYOCERA Mobile Print\u0027 v3.2.0.230119 and earlier, \u0027UTAX/TA MobilePrint\u0027 v3.2.0.230119 and earlier, and \u0027Olivetti Mobile Print\u0027 v3.2.0.230119 and earlier are vulnerable to improper intent handling. When a malicious app is installed on the victim user\u0027s Android device, the app may send an intent and direct the affected app to download malicious files or apps to the device without notification.",
"id": "GHSA-mp3j-mvwr-j4c4",
"modified": "2024-04-04T03:25:49Z",
"published": "2023-04-13T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25954"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU98434809"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=com.kyocera.kyoprint"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=com.kyocera.kyoprintolivetti"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=com.kyocera.kyoprinttautax"
},
{
"type": "WEB",
"url": "https://www.kyoceradocumentsolutions.com/en/our-business/security/information/2023-04-11.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MPF8-4HX2-7CJG
Vulnerability from github – Published: 2026-05-07 04:29 – Updated: 2026-05-14 20:36Summary
A sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution.
When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then() callback preserves host identity. This allows the sandbox to interact with the host object directly, including:
- Performing identity checks using host-side
WeakMap - Mutating host object state from inside the sandbox
This behavior occurs because the Promise fulfillment wrapper uses ensureThis() instead of the stronger cross-realm conversion path (from() / proxy wrapping). If no prototype mapping is found, ensureThis() returns the original object.
As a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation.
Details
In setup-sandbox.js, vm2 wraps Promise.prototype.then:
```js globalPromise.prototype.then = function then(onFulfilled, onRejected) { resetPromiseSpecies(this);
if (typeof onFulfilled === 'function') { const origOnFulfilled = onFulfilled; onFulfilled = function onFulfilled(value) { value = ensureThis(value); return apply(origOnFulfilled, this, [value]); }; }
return apply(globalPromiseThen, this, [onFulfilled, onRejected]); };
The wrapper calls ensureThis(value) before invoking the sandbox callback.
However, ensureThis is implemented in bridge.js as thisEnsureThis():
function thisEnsureThis(other) { const type = typeof other;
switch (type) { case 'object': if (other === null) return null;
case 'function':
let proto = thisReflectGetPrototypeOf(other);
if (!proto) {
return other;
}
while (proto) {
const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);
if (mapping) {
const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);
if (mapped) return mapped;
return mapping(defaultFactory, other);
}
proto = thisReflectGetPrototypeOf(proto);
}
return other;
If no prototype mapping is found, ensureThis() simply returns the original object:
return other;
This means the sandbox receives the original host object instead of a proxied or sanitized representation.
Because of this behavior, values resolved by host Promises can cross the host–sandbox boundary with identity preserved.
PoC
The following Proof of Concept demonstrates that an object resolved by a host Promise can be used as a valid key in a host-side WeakMap from inside the sandbox.
WeakMap keys rely on reference identity, so a successful lookup proves that the sandbox received the host object identity.
PoC Code import {VM} from "./index.js";
const hostObj = {tag: "HOST_OBJ"}; const hostPromise = Promise.resolve(hostObj);
// WeakMap created on the host const wm = new WeakMap([[hostObj, "HIT"]]);
const vm = new VM({ sandbox: {hostPromise, wm}, timeout: 1000, eval: false, wasm: false, });
const code = hostPromise.then(v => ({
weakMapGet: wm.get(v),
typeofV: typeof v,
tag: v.tag
}));
const result = await vm.run(code);
console.log("VM RESULT:", result); console.log("HOST SAME KEY STILL:", wm.get(hostObj)); Output VM RESULT: { weakMapGet: 'HIT', typeofV: 'object', tag: 'HOST_OBJ' } HOST SAME KEY STILL: HIT
This confirms that the object delivered to the sandbox callback retains host identity.
Additional Demonstration: Host Object Mutation
The sandbox can also mutate host object state through the resolved Promise value.
import {VM} from "./index.js";
const hostObj = {tag: "HOST_OBJ", nested: {x: 1}}; const hostPromise = Promise.resolve(hostObj);
const vm = new VM({ sandbox: {hostPromise}, timeout: 1000, eval: false, wasm: false, });
const code = hostPromise.then(v => {
v.nested.x = 999;
v.tag = "MUTATED";
return { seenTag: v.tag, seenX: v.nested.x };
});
const result = await vm.run(code);
console.log("VM RESULT:", result); console.log("HOST AFTER:", hostObj);
Output: VM RESULT: { seenTag: 'MUTATED', seenX: 999 } HOST AFTER: { tag: 'MUTATED', nested: { x: 999 } }
This demonstrates write-through mutation of a host object from sandbox code.
Impact This vulnerability allows host object references to cross the vm2 sandbox boundary via Promise resolution.
Consequences include:
Host object identity disclosure
Write-through mutation of host objects
WeakMap / WeakSet identity oracle across the boundary
Potential capability leaks if sensitive host objects are reachable via Promises
Applications that expose host Promises to sandboxed code may unintentionally grant the sandbox direct access to host objects.
This weakens the intended isolation guarantees of vm2.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.10.5"
},
"package": {
"ecosystem": "npm",
"name": "vm2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44000"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T04:29:22Z",
"nvd_published_at": "2026-05-13T18:16:16Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA sandbox boundary violation in **vm2** allows host object identity to cross into the sandbox through host Promise resolution.\n\nWhen a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox `.then()` callback preserves host identity. This allows the sandbox to interact with the host object directly, including:\n\n- Performing identity checks using host-side `WeakMap`\n- Mutating host object state from inside the sandbox\n\nThis behavior occurs because the Promise fulfillment wrapper uses `ensureThis()` instead of the stronger cross-realm conversion path (`from()` / proxy wrapping). If no prototype mapping is found, `ensureThis()` returns the original object.\n\nAs a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation.\n\n---\n\n### Details\n\nIn `setup-sandbox.js`, vm2 wraps `Promise.prototype.then`:\n\n```js\nglobalPromise.prototype.then = function then(onFulfilled, onRejected) {\n resetPromiseSpecies(this);\n\n if (typeof onFulfilled === \u0027function\u0027) {\n const origOnFulfilled = onFulfilled;\n onFulfilled = function onFulfilled(value) {\n value = ensureThis(value);\n return apply(origOnFulfilled, this, [value]);\n };\n }\n\n return apply(globalPromiseThen, this, [onFulfilled, onRejected]);\n};\n\n\nThe wrapper calls ensureThis(value) before invoking the sandbox callback.\n\nHowever, ensureThis is implemented in bridge.js as thisEnsureThis():\n\nfunction thisEnsureThis(other) {\n const type = typeof other;\n\n switch (type) {\n case \u0027object\u0027:\n if (other === null) return null;\n\n case \u0027function\u0027:\n let proto = thisReflectGetPrototypeOf(other);\n\n if (!proto) {\n return other;\n }\n\n while (proto) {\n const mapping = thisReflectApply(thisMapGet, protoMappings, [proto]);\n\n if (mapping) {\n const mapped = thisReflectApply(thisWeakMapGet, mappingOtherToThis, [other]);\n if (mapped) return mapped;\n return mapping(defaultFactory, other);\n }\n\n proto = thisReflectGetPrototypeOf(proto);\n }\n\n return other;\n\nIf no prototype mapping is found, ensureThis() simply returns the original object:\n\nreturn other;\n\nThis means the sandbox receives the original host object instead of a proxied or sanitized representation.\n\nBecause of this behavior, values resolved by host Promises can cross the host\u2013sandbox boundary with identity preserved.\n\nPoC\n\nThe following Proof of Concept demonstrates that an object resolved by a host Promise can be used as a valid key in a host-side WeakMap from inside the sandbox.\n\nWeakMap keys rely on reference identity, so a successful lookup proves that the sandbox received the host object identity.\n\nPoC Code\nimport {VM} from \"./index.js\";\n\nconst hostObj = {tag: \"HOST_OBJ\"};\nconst hostPromise = Promise.resolve(hostObj);\n\n// WeakMap created on the host\nconst wm = new WeakMap([[hostObj, \"HIT\"]]);\n\nconst vm = new VM({\n sandbox: {hostPromise, wm},\n timeout: 1000,\n eval: false,\n wasm: false,\n});\n\nconst code = `\n hostPromise.then(v =\u003e ({\n weakMapGet: wm.get(v),\n typeofV: typeof v,\n tag: v.tag\n }))\n`;\n\nconst result = await vm.run(code);\n\nconsole.log(\"VM RESULT:\", result);\nconsole.log(\"HOST SAME KEY STILL:\", wm.get(hostObj));\nOutput\nVM RESULT: { weakMapGet: \u0027HIT\u0027, typeofV: \u0027object\u0027, tag: \u0027HOST_OBJ\u0027 }\nHOST SAME KEY STILL: HIT\n\nThis confirms that the object delivered to the sandbox callback retains host identity.\n\nAdditional Demonstration: Host Object Mutation\n\nThe sandbox can also mutate host object state through the resolved Promise value.\n\nimport {VM} from \"./index.js\";\n\nconst hostObj = {tag: \"HOST_OBJ\", nested: {x: 1}};\nconst hostPromise = Promise.resolve(hostObj);\n\nconst vm = new VM({\n sandbox: {hostPromise},\n timeout: 1000,\n eval: false,\n wasm: false,\n});\n\nconst code = `\n hostPromise.then(v =\u003e {\n v.nested.x = 999;\n v.tag = \"MUTATED\";\n return { seenTag: v.tag, seenX: v.nested.x };\n })\n`;\n\nconst result = await vm.run(code);\n\nconsole.log(\"VM RESULT:\", result);\nconsole.log(\"HOST AFTER:\", hostObj);\n\n**Output:**\nVM RESULT: { seenTag: \u0027MUTATED\u0027, seenX: 999 }\nHOST AFTER: { tag: \u0027MUTATED\u0027, nested: { x: 999 } }\n\nThis demonstrates write-through mutation of a host object from sandbox code.\n\n**Impact**\nThis vulnerability allows host object references to cross the vm2 sandbox boundary via Promise resolution.\n\nConsequences include:\n\nHost object identity disclosure\n\nWrite-through mutation of host objects\n\nWeakMap / WeakSet identity oracle across the boundary\n\nPotential capability leaks if sensitive host objects are reachable via Promises\n\nApplications that expose host Promises to sandboxed code may unintentionally grant the sandbox direct access to host objects.\n\nThis weakens the intended isolation guarantees of vm2.",
"id": "GHSA-mpf8-4hx2-7cjg",
"modified": "2026-05-14T20:36:48Z",
"published": "2026-05-07T04:29:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44000"
},
{
"type": "PACKAGE",
"url": "https://github.com/patriksimek/vm2"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary"
}
GHSA-MPJM-V997-C4H4
Vulnerability from github – Published: 2021-10-12 21:59 – Updated: 2022-08-11 16:56Impact
This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.
All current stable versions of Electron are affected.
Patches
This was fixed with #30728, and the following Electron versions contain the fix:
- 15.0.0-alpha.10
- 14.0.0
- 13.3.0
- 12.1.0
- 11.5.0
Workarounds
If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.
Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:
delete require('electron').nativeImage.createThumbnailFromPath
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.5.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39184"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-12T18:54:44Z",
"nvd_published_at": "2021-10-12T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThis vulnerability allows a sandboxed renderer to request a \"thumbnail\" image of an arbitrary file on the user\u0027s system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.\n\nAll current stable versions of Electron are affected.\n\n### Patches\nThis was fixed with #30728, and the following Electron versions contain the fix:\n\n- 15.0.0-alpha.10\n- 14.0.0\n- 13.3.0\n- 12.1.0\n- 11.5.0\n\n### Workarounds\nIf your app enables `contextIsolation`, this vulnerability is significantly more difficult for an attacker to exploit.\n\nFurther, if your app does not depend on the `createThumbnailFromPath` API, then you can simply disable the functionality. In the main process, before the \u0027ready\u0027 event:\n```js\ndelete require(\u0027electron\u0027).nativeImage.createThumbnailFromPath\n```\n\n### For more information\nIf you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).",
"id": "GHSA-mpjm-v997-c4h4",
"modified": "2022-08-11T16:56:02Z",
"published": "2021-10-12T21:59:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/electron/security/advisories/GHSA-mpjm-v997-c4h4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39184"
},
{
"type": "WEB",
"url": "https://github.com/electron/electron/pull/30728"
},
{
"type": "WEB",
"url": "https://github.com/electron/electron/pull/30728/commits/8fed645bd671f359ee52d806c075ec4e07eda17f"
},
{
"type": "PACKAGE",
"url": "https://github.com/electron/electron"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Electron\u0027s sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API"
}
GHSA-MPX3-9HC8-9X6P
Vulnerability from github – Published: 2023-09-12 18:30 – Updated: 2024-04-04 07:38DHCP Server Service Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-38152"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-12T17:15:18Z",
"severity": "MODERATE"
},
"details": "DHCP Server Service Information Disclosure Vulnerability",
"id": "GHSA-mpx3-9hc8-9x6p",
"modified": "2024-04-04T07:38:06Z",
"published": "2023-09-12T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38152"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38152"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MQ8J-3H7H-P8G7
Vulnerability from github – Published: 2022-06-16 23:14 – Updated: 2022-06-16 23:14Impact
This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.
Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).
If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.617.2.016.2.615.5.5
Workarounds
Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "15.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0"
},
{
"fixed": "16.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0"
},
{
"fixed": "17.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 18.0.0-beta.5"
},
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "18.0.0-beta.1"
},
{
"fixed": "18.0.0-beta.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29247"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-16T23:14:33Z",
"nvd_published_at": "2022-06-13T21:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nThis vulnerability allows a renderer with JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in turn allows effective access to `ipcRenderer`.\n\nPlease note the misleadingly named `nodeIntegrationInSubFrames` option does not implicitly grant Node.js access rather it depends on the existing `sandbox` setting. If your application is sandboxed then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs (which includes `ipcRenderer`).\n\nIf your application then additionally exposes IPC messages without IPC `senderFrame` validation that perform privileged actions or return confidential data this access to `ipcRenderer` can in turn compromise your application / user even with the sandbox enabled.\n\n### Patches\nThis has been patched and the following Electron versions contain the fix:\n\n* `18.0.0-beta.6`\n* `17.2.0`\n* `16.2.6`\n* `15.5.5`\n\n### Workarounds\nEnsure that all IPC message handlers appropriately validate `senderFrame` as per our [security tutorial here](https://github.com/electron/electron/blob/main/docs/tutorial/security.md#17-validate-the-sender-of-all-ipc-messages).\n\n### For more information\n\nIf you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).",
"id": "GHSA-mq8j-3h7h-p8g7",
"modified": "2022-06-16T23:14:33Z",
"published": "2022-06-16T23:14:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29247"
},
{
"type": "PACKAGE",
"url": "https://github.com/electron/electron"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled"
}
GHSA-MQ9G-JW9V-3PCF
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.
{
"affected": [],
"aliases": [
"CVE-2021-39884"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-05T13:15:00Z",
"severity": "MODERATE"
},
"details": "In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.",
"id": "GHSA-mq9g-jw9v-3pcf",
"modified": "2022-07-13T00:01:38Z",
"published": "2022-05-24T19:16:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39884"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/447817"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39884.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/25414"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MQM8-93XW-F4W3
Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-10-06 18:52In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.
{
"affected": [],
"aliases": [
"CVE-2021-42067"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible.",
"id": "GHSA-mqm8-93xw-f4w3",
"modified": "2022-10-06T18:52:11Z",
"published": "2022-01-15T00:01:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42067"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3112710"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MR4R-VFMP-V9Q3
Vulnerability from github – Published: 2023-02-14 21:30 – Updated: 2023-02-14 21:30HTTP.sys Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-21687"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "HTTP.sys Information Disclosure Vulnerability",
"id": "GHSA-mr4r-vfmp-v9q3",
"modified": "2023-02-14T21:30:30Z",
"published": "2023-02-14T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21687"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21687"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MR5M-2385-2VCP
Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2023-07-17 18:29An issue was discovered in xdLocalStorage through 2.0.5. The postData() function in xdLocalStoragePostMessageApi.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and receive the messages that the "magical iframe" sends.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "xdlocalstorage"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-11610"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-17T18:29:36Z",
"nvd_published_at": "2020-04-07T18:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in xdLocalStorage through 2.0.5. The `postData()` function in `xdLocalStoragePostMessageApi.js` specifies the wildcard (`*`) as the targetOrigin when calling the `postMessage()` function on the parent object. Therefore any domain can load the application hosting the \"magical iframe\" and receive the messages that the \"magical iframe\" sends.",
"id": "GHSA-mr5m-2385-2vcp",
"modified": "2023-07-17T18:29:36Z",
"published": "2022-05-24T17:13:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11610"
},
{
"type": "WEB",
"url": "https://github.com/ofirdagan/cross-domain-local-storage/issues/17"
},
{
"type": "WEB",
"url": "https://github.com/ofirdagan/cross-domain-local-storage/pull/19"
},
{
"type": "PACKAGE",
"url": "https://github.com/ofirdagan/cross-domain-local-storage"
},
{
"type": "WEB",
"url": "https://grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/#Missing-TargetOrigin-Magic-iframe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "xdlocalstorage does not verify request origin"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.