CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-PX83-9343-XRFJ
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-07-13 00:01An access issue was addressed with improved access restrictions. This issue is fixed in Security Update 2021-005 Catalina, macOS Big Sur 11.6, tvOS 15. A user may gain access to protected parts of the file system.
{
"affected": [],
"aliases": [
"CVE-2021-30850"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-19T14:15:00Z",
"severity": "HIGH"
},
"details": "An access issue was addressed with improved access restrictions. This issue is fixed in Security Update 2021-005 Catalina, macOS Big Sur 11.6, tvOS 15. A user may gain access to protected parts of the file system.",
"id": "GHSA-px83-9343-xrfj",
"modified": "2022-07-13T00:01:24Z",
"published": "2022-05-24T19:17:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30850"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212804"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212805"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212815"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Oct/63"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PX9M-756C-MJVW
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2023-08-08 15:31In getSerialForPackage of DeviceIdentifiersPolicyService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192587406
{
"affected": [],
"aliases": [
"CVE-2021-0978"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "LOW"
},
"details": "In getSerialForPackage of DeviceIdentifiersPolicyService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192587406",
"id": "GHSA-px9m-756c-mjvw",
"modified": "2023-08-08T15:31:25Z",
"published": "2021-12-16T00:01:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0978"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PXFJ-VMHH-M9GM
Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-21 00:00BeyondTrust AppGuard Enterprise through 6.6.20.2 creates a Temporary File in a Directory with Insecure Permissions.
{
"affected": [],
"aliases": [
"CVE-2021-42255"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-12T16:15:00Z",
"severity": "HIGH"
},
"details": "BeyondTrust AppGuard Enterprise through 6.6.20.2 creates a Temporary File in a Directory with Insecure Permissions.",
"id": "GHSA-pxfj-vmhh-m9gm",
"modified": "2022-04-21T00:00:58Z",
"published": "2022-04-13T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42255"
},
{
"type": "WEB",
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0022/MNDT-2022-0022.md"
},
{
"type": "WEB",
"url": "https://www.beyondtrust.com/blog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q22J-6G9R-WC97
Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 21:30Improper access control vulnerability in MyFiles prior to versions 12.2.09 in Android R(11), 13.1.03.501 in Android S(12) and 14.1.00.422 in Android T(13) allows local attacker to write file with MyFiles privilege via implicit intent.
{
"affected": [],
"aliases": [
"CVE-2023-21445"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T19:15:00Z",
"severity": "HIGH"
},
"details": "Improper access control vulnerability in MyFiles prior to versions 12.2.09 in Android R(11), 13.1.03.501 in Android S(12) and 14.1.00.422 in Android T(13) allows local attacker to write file with MyFiles privilege via implicit intent.",
"id": "GHSA-q22j-6g9r-wc97",
"modified": "2023-02-17T21:30:40Z",
"published": "2023-02-09T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21445"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q2RF-262F-HFR2
Vulnerability from github – Published: 2025-07-11 12:30 – Updated: 2025-07-11 12:30CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources to the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML diagrams.
{
"affected": [],
"aliases": [
"CVE-2025-6788"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-11T12:15:23Z",
"severity": "MODERATE"
},
"details": "CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources\nto the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML\ndiagrams.",
"id": "GHSA-q2rf-262f-hfr2",
"modified": "2025-07-11T12:30:32Z",
"published": "2025-07-11T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6788"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-189-04.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q4JP-RMFF-G56P
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01"IBM Robotic Process Automation for Cloud Pak 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to exposure of the first tenant owner e-mail address to users with access to the container platform. IBM X-Force ID: 238214."
{
"affected": [],
"aliases": [
"CVE-2022-42442"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "LOW"
},
"details": "\"IBM Robotic Process Automation for Cloud Pak 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to exposure of the first tenant owner e-mail address to users with access to the container platform. IBM X-Force ID: 238214.\"",
"id": "GHSA-q4jp-rmff-g56p",
"modified": "2022-11-04T19:01:16Z",
"published": "2022-11-04T12:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42442"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/238214"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6831787"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q4P9-39FV-H479
Vulnerability from github – Published: 2024-04-26 09:30 – Updated: 2024-04-26 09:30Vladimir Kononovich, a Security Researcher has found a flaw that using a inappropriate encryption logic on the DVR. firmware encryption is broken and allows to decrypt. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.
{
"affected": [],
"aliases": [
"CVE-2023-6096"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-26T08:15:11Z",
"severity": "HIGH"
},
"details": "\nVladimir Kononovich, a Security Researcher has found a flaw that using a inappropriate encryption logic on the DVR. firmware encryption is broken and allows to decrypt. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer\u0027s report for details and workarounds.\n\n",
"id": "GHSA-q4p9-39fv-h479",
"modified": "2024-04-26T09:30:34Z",
"published": "2024-04-26T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6096"
},
{
"type": "WEB",
"url": "https://www.hanwhavision.com/wp-content/uploads/2024/04/NVR-DVR-Vulnerability-Report-CVE-2023-6095-6096.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q5H6-FHHG-PM4C
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42Denial of Service vulnerability in Trend Micro Deep Discovery Email Inspector 2.5.1 allows remote attackers to delete arbitrary files on vulnerable installations, thus disabling the service. Formerly ZDI-CAN-4350.
{
"affected": [],
"aliases": [
"CVE-2017-11382"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-03T15:29:00Z",
"severity": "HIGH"
},
"details": "Denial of Service vulnerability in Trend Micro Deep Discovery Email Inspector 2.5.1 allows remote attackers to delete arbitrary files on vulnerable installations, thus disabling the service. Formerly ZDI-CAN-4350.",
"id": "GHSA-q5h6-fhhg-pm4c",
"modified": "2022-05-13T01:42:17Z",
"published": "2022-05-13T01:42:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11382"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/1116750"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100076"
},
{
"type": "WEB",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-17-503"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q5PV-QHPQ-3F39
Vulnerability from github – Published: 2022-02-02 00:01 – Updated: 2022-02-05 00:00The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.
{
"affected": [],
"aliases": [
"CVE-2021-24775"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-01T13:15:00Z",
"severity": "MODERATE"
},
"details": "The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.",
"id": "GHSA-q5pv-qhpq-3f39",
"modified": "2022-02-05T00:00:46Z",
"published": "2022-02-02T00:01:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24775"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/c6f24afe-d273-4f87-83ca-a791a385b06b"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q6Q8-2JWH-F6XX
Vulnerability from github – Published: 2022-03-20 00:00 – Updated: 2022-03-29 00:01Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
{
"affected": [],
"aliases": [
"CVE-2022-26267"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-18T23:15:00Z",
"severity": "HIGH"
},
"details": "Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.",
"id": "GHSA-q6q8-2jwh-f6xx",
"modified": "2022-03-29T00:01:32Z",
"published": "2022-03-20T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26267"
},
{
"type": "WEB",
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.