CWE-668— Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.— MITRE CWE catalog
1,109 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-668page 14 of 23
- CVE-2022-26355MEDIUMCVSS 4.4EG 4.42022-03-10
Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deployments that have been configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Micr…
- CVE-2022-26653MEDIUMCVSS 5.3EG 5.32022-04-16
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
- CVE-2022-26707MEDIUMCVSS 5.5EG 5.52022-09-23
An issue in the handling of environment variables was addressed with improved validation. This issue is fixed in macOS Monterey 12.4. A user may be able to view sensitive user information.
- CVE-2022-26777MEDIUMCVSS 5.3EG 5.32022-04-16
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.
- CVE-2022-26816MEDIUMCVSS 6.5EG 6.52022-04-15
Windows DNS Server Information Disclosure Vulnerability
- CVE-2022-26850MEDIUMCVSS 4.3EG 4.32022-04-06
When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory h…
- CVE-2022-26869CRITICALCVSS 9.8EG 9.82022-06-02
Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contains an open port vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and arbitrary code execution.
- CVE-2022-26933MEDIUMCVSS 5.5EG 5.52022-05-10
Windows NTFS Information Disclosure Vulnerability
- CVE-2022-26935MEDIUMCVSS 6.5EG 6.52022-05-10
Windows WLAN AutoConfig Service Information Disclosure Vulnerability
- CVE-2022-26936MEDIUMCVSS 6.5EG 6.52022-05-10
Windows Server Service Information Disclosure Vulnerability
- CVE-2022-26940MEDIUMCVSS 6.5EG 6.52022-05-10
Remote Desktop Protocol Client Information Disclosure Vulnerability
- CVE-2022-27257HIGHCVSS 7.5EG 7.52022-04-15
A PHP Local File Inclusion vulneraility in the default Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema parameter.
- CVE-2022-27331MEDIUMCVSS 4.3EG 4.32022-04-27
An access control issue in Zammad v5.0.3 broadcasts administrative configuration changes to all users who have an active application instance, including settings that should only be visible to authenticated users.
- CVE-2022-27332CRITICALCVSS 9.1EG 9.12022-04-27
An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause a Denial of Service (DoS).
- CVE-2022-27575LOWCVSS 3.3EG 3.32022-04-11
Information exposure vulnerability in One UI Home prior to SMR April-2022 Release 1 allows to access currently launched foreground app information without permission.
- CVE-2022-27576LOWCVSS 3.3EG 3.32022-04-11
Information exposure vulnerability in Samsung DeX Home prior to SMR April-2022 Release 1 allows to access currently launched foreground app information without permission
- CVE-2022-27772HIGHCVSS 7.8EG 7.82022-03-30
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: Thi…
- CVE-2022-27779MEDIUMCVSS 5.3EG 5.32022-06-02
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](htt…
- CVE-2022-27817MEDIUMCVSS 4.4EG 4.42022-04-14
SWHKD 1.1.5 consumes the keyboard events of unintended users. This could potentially cause an information leak, but is usually a denial of functionality.
- CVE-2022-27818CRITICALCVSS 9.1EG 9.12022-04-07
SWHKD 1.1.5 unsafely uses the /tmp/swhkd.sock pathname. There can be an information leak or denial of service.
- CVE-2022-27822MEDIUMCVSS 6.6EG 5.52022-04-11
Information exposure vulnerability in ril property setting prior to SMR April-2022 Release 1 allows access to EF_RUIMID value without permission.
- CVE-2022-27912MEDIUMCVSS 5.3EG 5.32022-10-25
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.
- CVE-2022-27919CRITICALCVSS 9.8EG 9.82022-03-25
Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.
- CVE-2022-2792MEDIUMCVSS 6.6EG 7.52022-08-19
Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-284 Improper Access Control, and stores project data in a directory with improper access control lists.
- CVE-2022-28160MEDIUMCVSS 6.5EG 6.52022-03-29
Jenkins Tests Selector Plugin 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller.
- CVE-2022-28226HIGHCVSS 7.8EG 7.82022-06-15
Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure pe…
- CVE-2022-28365MEDIUMCVSS 5.3EG 5.32022-04-09
Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network …
- CVE-2022-28376HIGHCVSS 8.1EG 8.12022-04-03
Verizon 5G Home LVSKIHP outside devices through 2022-02-15 allow anyone (knowing the device's serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. The password (for the verizon username) is calculated by concaten…
- CVE-2022-28713MEDIUMCVSS 5.3EG 5.32022-07-04
Improper authentication vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote attacker to obtain some data of Facility Information without logging in to the product.
- CVE-2022-28794LOWCVSS 2.2EG 3.32022-06-07
Sensitive information exposure in low-battery dumpstate log prior to SMR Jun-2022 Release 1 allows local attackers to get SIM card information.
- CVE-2022-2882MEDIUMCVSS 5.5EG 4.32022-10-28
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a G…
- CVE-2022-28924MEDIUMCVSS 6.5EG 6.52022-05-18
An information disclosure vulnerability in UniverSIS-Students before v1.5.0 allows attackers to obtain sensitive information via a crafted GET request to the endpoint /api/students/me/courses/.
- CVE-2022-28991HIGHCVSS 7.5EG 7.52022-05-20
Multi Store Inventory Management System v1.0 was discovered to contain an information disclosure vulnerability which allows attackers to access sensitive files.
- CVE-2022-29102MEDIUMCVSS 5.5EG 5.52022-05-10
Windows Failover Cluster Information Disclosure Vulnerability
- CVE-2022-29112MEDIUMCVSS 6.5EG 6.52022-05-10
Windows Graphics Component Information Disclosure Vulnerability
- CVE-2022-29120MEDIUMCVSS 6.5EG 6.52022-05-10
Windows Clustered Shared Volume Information Disclosure Vulnerability
- CVE-2022-29122MEDIUMCVSS 6.5EG 6.52022-05-10
Windows Clustered Shared Volume Information Disclosure Vulnerability
- CVE-2022-29123MEDIUMCVSS 6.5EG 6.52022-05-10
Windows Clustered Shared Volume Information Disclosure Vulnerability
- CVE-2022-29247LOWCVSS 2.2EG 2.22022-06-13
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain acce…
- CVE-2022-29467MEDIUMCVSS 4.3EG 4.32022-07-04
Address information disclosure vulnerability in Cybozu Garoon 4.2.0 to 5.5.1 allows a remote authenticated attacker to obtain some data of Address.
- CVE-2022-29471MEDIUMCVSS 4.3EG 4.32022-07-04
Browse restriction bypass vulnerability in Bulletin of Cybozu Garoon allows a remote authenticated attacker to obtain the data of Bulletin.
- CVE-2022-29500HIGHCVSS 8.8EG 8.82022-05-05
SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Information Disclosure.
- CVE-2022-29646MEDIUMCVSS 5.3EG 5.32022-05-18
An access control issue in TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 allows attackers to obtain sensitive information via a crafted web request.
- CVE-2022-29820LOWCVSS 3.0EG 3.52022-04-28
In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible
- CVE-2022-29850HIGHCVSS 8.1EG 8.12022-08-26
Various Lexmark products through 2022-04-27 allow an attacker who has already compromised an affected Lexmark device to maintain persistence across reboots.
- CVE-2022-29869MEDIUMCVSS 5.3EG 5.32022-04-28
cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.
- CVE-2022-29901MEDIUMCVSS 5.6EG 6.52022-07-12
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions …
- CVE-2022-3018MEDIUMCVSS 6.8EG 4.92022-10-28
An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to acc…
- CVE-2022-30223MEDIUMCVSS 5.7EG 5.72022-07-12
Windows Hyper-V Information Disclosure Vulnerability
- CVE-2022-30330MEDIUMCVSS 6.6EG 6.62022-05-07
In the KeepKey firmware before 7.3.2,Flaws in the supervisor interface can be exploited to bypass important security restrictions on firmware operations. Using these flaws, malicious firmware code can elevate privileges, permanently make t…
Map vulnerabilities like CWE-668 to your infrastructure
EchelonGraph correlates every CVE — across CWE-668 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →