Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-PX83-9343-XRFJ

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-07-13 00:01
VLAI
Details

An access issue was addressed with improved access restrictions. This issue is fixed in Security Update 2021-005 Catalina, macOS Big Sur 11.6, tvOS 15. A user may gain access to protected parts of the file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-19T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An access issue was addressed with improved access restrictions. This issue is fixed in Security Update 2021-005 Catalina, macOS Big Sur 11.6, tvOS 15. A user may gain access to protected parts of the file system.",
  "id": "GHSA-px83-9343-xrfj",
  "modified": "2022-07-13T00:01:24Z",
  "published": "2022-05-24T19:17:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30850"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212804"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212805"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212815"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/Oct/63"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX9M-756C-MJVW

Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2023-08-08 15:31
VLAI
Details

In getSerialForPackage of DeviceIdentifiersPolicyService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192587406

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "LOW"
  },
  "details": "In getSerialForPackage of DeviceIdentifiersPolicyService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192587406",
  "id": "GHSA-px9m-756c-mjvw",
  "modified": "2023-08-08T15:31:25Z",
  "published": "2021-12-16T00:01:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0978"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PXFJ-VMHH-M9GM

Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-21 00:00
VLAI
Details

BeyondTrust AppGuard Enterprise through 6.6.20.2 creates a Temporary File in a Directory with Insecure Permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-12T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "BeyondTrust AppGuard Enterprise through 6.6.20.2 creates a Temporary File in a Directory with Insecure Permissions.",
  "id": "GHSA-pxfj-vmhh-m9gm",
  "modified": "2022-04-21T00:00:58Z",
  "published": "2022-04-13T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42255"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0022/MNDT-2022-0022.md"
    },
    {
      "type": "WEB",
      "url": "https://www.beyondtrust.com/blog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q22J-6G9R-WC97

Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 21:30
VLAI
Details

Improper access control vulnerability in MyFiles prior to versions 12.2.09 in Android R(11), 13.1.03.501 in Android S(12) and 14.1.00.422 in Android T(13) allows local attacker to write file with MyFiles privilege via implicit intent.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper access control vulnerability in MyFiles prior to versions 12.2.09 in Android R(11), 13.1.03.501 in Android S(12) and 14.1.00.422 in Android T(13) allows local attacker to write file with MyFiles privilege via implicit intent.",
  "id": "GHSA-q22j-6g9r-wc97",
  "modified": "2023-02-17T21:30:40Z",
  "published": "2023-02-09T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21445"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2RF-262F-HFR2

Vulnerability from github – Published: 2025-07-11 12:30 – Updated: 2025-07-11 12:30
VLAI
Details

CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources to the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML diagrams.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6788"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-11T12:15:23Z",
    "severity": "MODERATE"
  },
  "details": "CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources\nto the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML\ndiagrams.",
  "id": "GHSA-q2rf-262f-hfr2",
  "modified": "2025-07-11T12:30:32Z",
  "published": "2025-07-11T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6788"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-189-04.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q4JP-RMFF-G56P

Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01
VLAI
Details

"IBM Robotic Process Automation for Cloud Pak 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to exposure of the first tenant owner e-mail address to users with access to the container platform. IBM X-Force ID: 238214."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-03T20:15:00Z",
    "severity": "LOW"
  },
  "details": "\"IBM Robotic Process Automation for Cloud Pak 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to exposure of the first tenant owner e-mail address to users with access to the container platform. IBM X-Force ID: 238214.\"",
  "id": "GHSA-q4jp-rmff-g56p",
  "modified": "2022-11-04T19:01:16Z",
  "published": "2022-11-04T12:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42442"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/238214"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6831787"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q4P9-39FV-H479

Vulnerability from github – Published: 2024-04-26 09:30 – Updated: 2024-04-26 09:30
VLAI
Details

Vladimir Kononovich, a Security Researcher has found a flaw that using a inappropriate encryption logic on the DVR. firmware encryption is broken and allows to decrypt. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-26T08:15:11Z",
    "severity": "HIGH"
  },
  "details": "\nVladimir Kononovich, a Security Researcher has found a flaw that using a inappropriate encryption logic on the DVR. firmware encryption is broken and allows to decrypt. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer\u0027s report for details and workarounds.\n\n",
  "id": "GHSA-q4p9-39fv-h479",
  "modified": "2024-04-26T09:30:34Z",
  "published": "2024-04-26T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6096"
    },
    {
      "type": "WEB",
      "url": "https://www.hanwhavision.com/wp-content/uploads/2024/04/NVR-DVR-Vulnerability-Report-CVE-2023-6095-6096.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5H6-FHHG-PM4C

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42
VLAI
Details

Denial of Service vulnerability in Trend Micro Deep Discovery Email Inspector 2.5.1 allows remote attackers to delete arbitrary files on vulnerable installations, thus disabling the service. Formerly ZDI-CAN-4350.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11382"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-03T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "Denial of Service vulnerability in Trend Micro Deep Discovery Email Inspector 2.5.1 allows remote attackers to delete arbitrary files on vulnerable installations, thus disabling the service. Formerly ZDI-CAN-4350.",
  "id": "GHSA-q5h6-fhhg-pm4c",
  "modified": "2022-05-13T01:42:17Z",
  "published": "2022-05-13T01:42:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11382"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/1116750"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100076"
    },
    {
      "type": "WEB",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-17-503"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5PV-QHPQ-3F39

Vulnerability from github – Published: 2022-02-02 00:01 – Updated: 2022-02-05 00:00
VLAI
Details

The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24775"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-01T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.",
  "id": "GHSA-q5pv-qhpq-3f39",
  "modified": "2022-02-05T00:00:46Z",
  "published": "2022-02-02T00:01:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24775"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/c6f24afe-d273-4f87-83ca-a791a385b06b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q6Q8-2JWH-F6XX

Vulnerability from github – Published: 2022-03-20 00:00 – Updated: 2022-03-29 00:01
VLAI
Details

Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-18T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.",
  "id": "GHSA-q6q8-2jwh-f6xx",
  "modified": "2022-03-29T00:01:32Z",
  "published": "2022-03-20T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26267"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.