Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-P4MM-5M49-MH3J

Vulnerability from github – Published: 2026-04-28 00:31 – Updated: 2026-04-28 00:31
VLAI
Details

OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be restricted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-28T00:16:26Z",
    "severity": "HIGH"
  },
  "details": "OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive environment variables that should be restricted.",
  "id": "GHSA-p4mm-5m49-mh3j",
  "modified": "2026-04-28T00:31:41Z",
  "published": "2026-04-28T00:31:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41368"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-disclosure-via-jq-env-filter-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P4PQ-252W-Q8GG

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-10-27 19:00
VLAI
Details

Adobe Captivate version 11.5.5 (and earlier) is affected by an Creation of Temporary File In Directory With Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. The attacker must plant a malicious file in a particular location of the victim's machine. Exploitation of this issue requires user interaction in that a victim must launch the Captivate Installer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-01T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Captivate version 11.5.5 (and earlier) is affected by an Creation of Temporary File In Directory With Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. The attacker must plant a malicious file in a particular location of the victim\u0027s machine. Exploitation of this issue requires user interaction in that a victim must launch the Captivate Installer.",
  "id": "GHSA-p4pq-252w-q8gg",
  "modified": "2022-10-27T19:00:40Z",
  "published": "2022-05-24T19:12:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36002"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/captivate/apsb21-60.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P5C9-M55V-7XV8

Vulnerability from github – Published: 2022-05-11 00:00 – Updated: 2025-01-02 21:31
VLAI
Details

Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29123, CVE-2022-29134.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Windows Clustered Shared Volume Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-29120, CVE-2022-29123, CVE-2022-29134.",
  "id": "GHSA-p5c9-m55v-7xv8",
  "modified": "2025-01-02T21:31:34Z",
  "published": "2022-05-11T00:00:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29122"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29122"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29122"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P5FW-F837-J4P4

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:36
VLAI
Details

A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause remote code execution when a valid user visits a malicious link provided through the web endpoints. Affected Products: EcoStruxure Control Expert (V15.1 and above)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27976"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-18T17:15:07Z",
    "severity": "HIGH"
  },
  "details": "\nA CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause\nremote code execution when a valid user visits a malicious link provided through the web\nendpoints. Affected Products:\u00a0EcoStruxure Control Expert (V15.1 and above)",
  "id": "GHSA-p5fw-f837-j4p4",
  "modified": "2024-04-04T05:36:59Z",
  "published": "2023-07-06T19:24:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27976"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-03.pdf"
    },
    {
      "type": "WEB",
      "url": "https://https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-03.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P5RM-FX86-WV2F

Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20
VLAI
Details

Improper Access Control in Plex Media Server prior to June 15, 2020 allows any origin to execute cross-origin application requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-15T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper Access Control in Plex Media Server prior to June 15, 2020 allows any origin to execute cross-origin application requests.",
  "id": "GHSA-p5rm-fx86-wv2f",
  "modified": "2022-05-24T17:20:35Z",
  "published": "2022-05-24T17:20:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5742"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2020-35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P5VM-WP92-93C6

Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2022-05-24 00:01
VLAI
Details

Windows Remote Access Connection Manager Information Disclosure Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-09T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Windows Remote Access Connection Manager Information Disclosure Vulnerability.",
  "id": "GHSA-p5vm-wp92-93c6",
  "modified": "2022-05-24T00:01:04Z",
  "published": "2022-02-10T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21985"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21985"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21985"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P5VP-W7X7-6PW3

Vulnerability from github – Published: 2022-08-18 00:00 – Updated: 2022-08-19 00:00
VLAI
Details

Ampere Altra before SRP 1.08b and Altra Max? before SRP 2.05 allow information disclosure of power telemetry via HWmon.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-17T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Ampere Altra before SRP 1.08b and Altra Max? before SRP 2.05 allow information disclosure of power telemetry via HWmon.",
  "id": "GHSA-p5vp-w7x7-6pw3",
  "modified": "2022-08-19T00:00:20Z",
  "published": "2022-08-18T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45454"
    },
    {
      "type": "WEB",
      "url": "https://amperecomputing.com/product-security"
    },
    {
      "type": "WEB",
      "url": "https://amperecomputing.com/products/security-bulletins/platypus.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6GC-38CF-8626

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-10-19 12:00
VLAI
Details

Adobe Photoshop Elements version 5.2 (and earlier) is affected by an insecure temporary file creation vulnerability. An unauthenticated attacker could leverage this vulnerability to call functions against the installer to perform high privileged actions. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28597"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-28T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Photoshop Elements version 5.2 (and earlier) is affected by an insecure temporary file creation vulnerability. An unauthenticated attacker could leverage this vulnerability to call functions against the installer to perform high privileged actions. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-p6gc-38cf-8626",
  "modified": "2022-10-19T12:00:23Z",
  "published": "2022-05-24T19:06:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28597"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/photoshop_elements/apsb21-46.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6XQ-9H8R-V544

Vulnerability from github – Published: 2023-02-10 15:30 – Updated: 2024-01-16 15:57
VLAI
Summary
CodenameOne Pending Intent vulnerability
Details

A vulnerability was found in CodenameOne 7.0.70. The manipulation leads to use of implicit intent for sensitive communication. It is possible to launch the attack remotely. Upgrading to version 7.0.71 is able to address this issue. The name of the patch is dad49c9ef26a598619fc48d2697151a02987d478. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.codenameone:codenameone-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.71"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4903"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-927"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-16T15:57:57Z",
    "nvd_published_at": "2023-02-10T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability was found in CodenameOne 7.0.70. The manipulation leads to use of implicit intent for sensitive communication. It is possible to launch the attack remotely. Upgrading to version 7.0.71 is able to address this issue. The name of the patch is dad49c9ef26a598619fc48d2697151a02987d478. It is recommended to upgrade the affected component. ",
  "id": "GHSA-p6xq-9h8r-v544",
  "modified": "2024-01-16T15:57:57Z",
  "published": "2023-02-10T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4903"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codenameone/CodenameOne/issues/3583"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codenameone/CodenameOne/commit/dad49c9ef26a598619fc48d2697151a02987d478"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codenameone/CodenameOne"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codenameone/CodenameOne/releases/tag/7.0.71"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.220470"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.220470"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CodenameOne Pending Intent vulnerability"
}

GHSA-P79H-R9J3-QJG6

Vulnerability from github – Published: 2022-04-21 01:48 – Updated: 2024-02-28 00:52
VLAI
Details

Mondo 2.24 has insecure handling of temporary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-3915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-07T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Mondo 2.24 has insecure handling of temporary files.",
  "id": "GHSA-p79h-r9j3-qjg6",
  "modified": "2024-02-28T00:52:39Z",
  "published": "2022-04-21T01:48:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3915"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2007-3915"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.