CWE-668— Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.— MITRE CWE catalog
1,109 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-668page 11 of 23
- CVE-2021-44676CRITICALCVSS 9.8EG 9.82021-12-20
Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g., access control details) and modify a few aspects of the application state.
- CVE-2021-44717MEDIUMCVSS 4.8EG 4.82022-01-01
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.
- CVE-2021-44746MEDIUMCVSS 5.3EG 5.32022-02-01
UNIVERGE DT 820 V3.2.7.0 and prior, UNIVERGE DT 830 V5.2.7.0 and prior, UNIVERGE DT 930 V2.4.0.0 and prior, IP Phone Manager V8.9.1 and prior, Data Maintenance Tool for DT900 Series V5.3.0.0 and prior, Data Maintenance Tool for DT800 Serie…
- CVE-2021-44837MEDIUMCVSS 4.3EG 4.32022-01-19
An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoi…
- CVE-2021-44838MEDIUMCVSS 4.3EG 4.32022-01-18
An issue was discovered in Delta RM 1.2. Using the /risque/risque/ajax-details endpoint, with a POST request indicating the risk to access with the id parameter, it is possible for users to access risks of other companies.
- CVE-2021-44852HIGHCVSS 7.8EG 7.82022-01-01
An issue was discovered in BS_RCIO64.sys in Biostar RACING GT Evo 2.1.1905.1700. A low-integrity process can open the driver's device object and issue IOCTLs to read or write to arbitrary physical memory locations (or call an arbitrary add…
- CVE-2021-44854MEDIUMCVSS 5.3EG 5.32022-12-26
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.
- CVE-2021-44886MEDIUMCVSS 5.3EG 5.32022-02-04
In Zammad 5.0.2, agents can configure "out of office" periods and substitute persons. If the substitute persons didn't have the same permissions as the original agent, they could receive ticket notifications for tickets that they have no a…
- CVE-2021-45097LOWCVSS 2.9EG 5.52021-12-16
KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content.
- CVE-2021-45101HIGHCVSS 8.1EG 8.12021-12-16
An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, and 9.1.x before 9.1.2. Using standard command-line tools, a user with only READ access to an HTCondor SchedD or Collector daemon can discover secrets that could allow …
- CVE-2021-45402MEDIUMCVSS 5.5EG 5.52022-02-11
The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, a…
- CVE-2021-45420CRITICALCVSS 9.8EG 9.82022-02-14
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system withou…
- CVE-2021-45421HIGHCVSS 7.5EG 7.52022-02-14
Emerson Dixell XWEB-500 products are affected by information disclosure via directory listing. A potential attacker can use this misconfiguration to access all the files in the remote directories. Note: the product has not been supported s…
- CVE-2021-45446MEDIUMCVSS 5.0EG 7.52022-11-02
A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the co…
- CVE-2021-45454HIGHCVSS 7.5EG 7.52022-08-17
Ampere Altra before SRP 1.08b and Altra Max before SRP 2.05 allow information disclosure of power telemetry via HWmon.
- CVE-2021-45494HIGHCVSS 8.4EG 4.52021-12-26
Certain NETGEAR devices are affected by an attacker's ability to read arbitrary files. This affects RBK352 before 4.4.0.10, RBR350 before 4.4.0.10, and RBS350 before 4.4.0.10.
- CVE-2021-45708HIGHCVSS 7.5EG 7.52021-12-27
An issue was discovered in the abomonation crate through 2021-10-17 for Rust. Because transmute operations are insufficiently constrained, there can be an information leak or ASLR bypass.
- CVE-2021-46354HIGHCVSS 7.5EG 7.52022-02-09
Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can allow the vulnerable s…
- CVE-2021-46687MEDIUMCVSS 4.9EG 4.92022-07-06
JFrog Artifactory prior to version 7.31.10 and 6.23.38 is vulnerable to Sensitive Data Exposure through the Project Administrator REST API. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.31.10 versions prio…
- CVE-2021-46744MEDIUMCVSS 6.5EG 6.52022-05-11
An attacker with access to a malicious hypervisor may be able to infer data values used in a SEV guest on AMD CPUs by monitoring ciphertext values over time.
- CVE-2021-46906MEDIUMCVSS 5.5EG 5.52024-02-26
In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. Whe…
- CVE-2021-46917MEDIUMCVSS 5.5EG 5.52024-02-27
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq cleanup of WQCFG registers A pre-release silicon erratum workaround where wq reset does not clear WQCFG registers was leaked into upstream code. …
- CVE-2021-46921MEDIUMCVSS 5.5EG 5.52024-02-27
In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader can acquire the lock without holding wait_loc…
- CVE-2021-46923MEDIUMCVSS 5.5EG 5.52024-02-27
In the Linux kernel, the following vulnerability has been resolved: fs/mount_setattr: always cleanup mount_kattr Make sure that finish_mount_kattr() is called after mount_kattr was succesfully built in both the success and failure case t…
- CVE-2021-46935MEDIUMCVSS 5.5EG 5.52024-02-27
In the Linux kernel, the following vulnerability has been resolved: binder: fix async_free_space accounting for empty parcels In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space") fixed a kernel…
- CVE-2021-46937MEDIUMCVSS 5.5EG 5.52024-02-27
In the Linux kernel, the following vulnerability has been resolved: mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()' DAMON debugfs interface increases the reference counts of 'struct pid's for targets from the 'target…
- CVE-2021-47401MEDIUMCVSS 5.5EG 7.12024-05-21
In the Linux kernel, the following vulnerability has been resolved: ipack: ipoctal: fix stack information leak The tty driver name is used also after registering the driver and must specifically not be allocated on the stack to avoid lea…
- CVE-2022-0005LOWCVSS 2.4EG 2.42022-05-12
Sensitive information accessible by physical probing of JTAG interface for some Intel(R) Processors with SGX may allow an unprivileged user to potentially enable information disclosure via physical access.
- CVE-2022-0117MEDIUMCVSS 6.5EG 6.52022-02-12
Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-0315HIGHCVSS 7.5EG 7.52022-03-24
Insecure Temporary File in GitHub repository horovod/horovod prior to 0.24.0.
- CVE-2022-0334MEDIUMCVSS 4.3EG 4.32022-01-25
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the …
- CVE-2022-0337MEDIUMCVSS 6.5EG 6.52023-01-02
Inappropriate implementation in File System API in Google Chrome on Windows prior to 97.0.4692.71 allowed a remote attacker to obtain potentially sensitive information via a crafted HTML page. (Chrome security severity: High)
- CVE-2022-0461MEDIUMCVSS 6.5EG 6.52022-04-05
Policy bypass in COOP in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to bypass iframe sandbox via a crafted HTML page.
- CVE-2022-0806MEDIUMCVSS 6.5EG 6.52022-04-05
Data leak in Canvas in Google Chrome prior to 99.0.4844.51 allowed a remote attacker who convinced a user to engage in screen sharing to potentially leak cross-origin data via a crafted HTML page.
- CVE-2022-0815MEDIUMCVSS 6.5EG 7.32022-03-10
Improper access control vulnerability in McAfee WebAdvisor Chrome and Edge browser extensions up to 8.1.0.1895 allows a remote attacker to gain access to McAfee WebAdvisor settings and other details about the user’s system. This could le…
- CVE-2022-0852MEDIUMCVSS 5.5EG 5.52022-08-29
There is a flaw in convert2rhel. convert2rhel passes the Red Hat account password to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the password via the process command line v…
- CVE-2022-1111LOWCVSS 2.4EG 2.72022-04-04
A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' colu…
- CVE-2022-1128MEDIUMCVSS 6.5EG 6.52022-07-23
Inappropriate implementation in Web Share API in Google Chrome on Windows prior to 100.0.4896.60 allowed an attacker on the local network segment to leak cross-origin data via a crafted HTML page.
- CVE-2022-1137MEDIUMCVSS 6.5EG 6.52022-07-23
Inappropriate implementation in Extensions in Google Chrome prior to 100.0.4896.60 allowed an attacker who convinced a user to install a malicious extension to leak potentially sensitive information via a crafted HTML page.
- CVE-2022-1138MEDIUMCVSS 6.5EG 6.52022-07-23
Inappropriate implementation in Web Cursor in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who had compromised the renderer process to obscure the contents of the Omnibox (URL bar) via a crafted HTML page.
- CVE-2022-1139MEDIUMCVSS 6.5EG 6.52022-07-23
Inappropriate implementation in Background Fetch API in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-1146MEDIUMCVSS 6.5EG 6.52022-07-23
Inappropriate implementation in Resource Timing in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-1385LOWCVSS 3.7EG 3.72022-04-19
Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public …
- CVE-2022-1413MEDIUMCVSS 5.4EG 7.52022-05-19
Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be …
- CVE-2022-1467HIGHCVSS 7.4EG 9.92022-05-23
Windows OS can be configured to overlay a “language bar” on top of any application. When this OS functionality is enabled, the OS language bar UI will be viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCA…
- CVE-2022-1488MEDIUMCVSS 4.3EG 4.32022-07-26
Inappropriate implementation in Extensions API in Google Chrome prior to 101.0.4951.41 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension.
- CVE-2022-1498MEDIUMCVSS 4.3EG 4.32022-07-26
Inappropriate implementation in HTML Parser in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-1501MEDIUMCVSS 6.5EG 6.52022-07-26
Inappropriate implementation in iframe in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-1637MEDIUMCVSS 4.3EG 4.32022-07-26
Inappropriate implementation in Web Contents in Google Chrome prior to 101.0.4951.64 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2022-1873MEDIUMCVSS 6.5EG 6.52022-07-27
Insufficient policy enforcement in COOP in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Map vulnerabilities like CWE-668 to your infrastructure
EchelonGraph correlates every CVE — across CWE-668 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →