CWE-668— Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.— MITRE CWE catalog
1,109 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-668page 15 of 23
- CVE-2022-30334MEDIUMCVSS 5.3EG 5.32022-05-07
Brave before 1.34, when a Private Window with Tor Connectivity is used, leaks .onion URLs in Referer and Origin headers. NOTE: although this was fixed by Brave, the Brave documentation still advises "Note that Private Windows with Tor Conn…
- CVE-2022-30607MEDIUMCVSS 6.5EG 6.52022-06-17
IBM Robotic Process Automation 20.10.0, 20.12.5, 21.0.0, 21.0.1, and 21.0.2 contains a vulnerability that could allow a user to obtain sensitive information due to information properly masked in the control center UI. IBM X-Force ID: 22729…
- CVE-2022-30613MEDIUMCVSS 5.5EG 5.52022-10-07
IBM QRadar SIEM 7.4 and 7.5 could disclose sensitive information via a local service to a privileged user. IBM X-Force ID: 227366.
- CVE-2022-30714LOWCVSS 1.9EG 3.32022-06-07
Information exposure vulnerability in SemIWCMonitor prior to SMR Jun-2022 Release 1 allows local attackers to get MAC address information.
- CVE-2022-30728LOWCVSS 1.9EG 3.32022-06-07
Information exposure vulnerability in ScanPool prior to SMR Jun-2022 Release 1 allows local attackers to get MAC address information.
- CVE-2022-30732MEDIUMCVSS 5.5EG 7.52022-06-07
Exposure of Sensitive Information vulnerability in Samsung Account prior to version 13.2.00.6 allows attacker to access sensitive information via onActivityResult.
- CVE-2022-30734MEDIUMCVSS 4.0EG 5.32022-06-07
Sensitive information exposure in Sign-out log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.
- CVE-2022-30746HIGHCVSS 7.5EG 7.52022-06-07
Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely using javascript interface API.
- CVE-2022-30750LOWCVSS 3.3EG 3.32022-07-12
Improper access control vulnerability in updateLastConnectedClientInfo function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected.
- CVE-2022-30751LOWCVSS 3.3EG 3.32022-07-12
Improper access control vulnerability in sendDHCPACKBroadcast function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected by using WIFI_AP_STA_DHCPACK_EVENT action.
- CVE-2022-30752LOWCVSS 3.3EG 3.32022-07-12
Improper access control vulnerability in sendDHCPACKBroadcast function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected by using WIFI_AP_STA_STATE_CHANGED action.
- CVE-2022-31238MEDIUMCVSS 4.7EG 5.52022-08-22
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain a process invoked with sensitive information vulnerability. A CLI user may potentially exploit this vulnerability, leading to infor…
- CVE-2022-31260MEDIUMCVSS 6.5EG 6.52022-07-17
In Montala ResourceSpace through 9.8 before r19636, csv_export_results_metadata.php allows attackers to export collection metadata via a non-NULL k value.
- CVE-2022-31308HIGHCVSS 7.5EG 7.52022-06-14
A vulnerability in live_mfg.shtml of WAVLINK AERIAL X 1200M M79X3.V5030.191012 allows attackers to obtain sensitive router information via execution of the exec cmd function.
- CVE-2022-31309HIGHCVSS 7.5EG 7.52022-06-14
A vulnerability in live_check.shtml of WAVLINK AERIAL X 1200M M79X3.V5030.180719 allows attackers to obtain sensitive router information via execution of the exec cmd function.
- CVE-2022-31475MEDIUMCVSS 5.5EG 4.92022-07-21
Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress.
- CVE-2022-31596MEDIUMCVSS 6.0EG 6.02022-12-12
Under certain conditions, an attacker authenticated as a CMS administrator and with high privileges access to the Network in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) - version 430, can access BOE Monitoring databa…
- CVE-2022-31649HIGHCVSS 7.5EG 7.52022-06-09
ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.
- CVE-2022-31673HIGHCVSS 8.8EG 8.82022-08-10
VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can create and leak hex dumps, leading to information disclosure. Successful exploitation can lead to a remot…
- CVE-2022-31708MEDIUMCVSS 4.9EG 4.92022-12-16
vRealize Operations (vROps) contains a broken access control vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4.
- CVE-2022-31845HIGHCVSS 7.5EG 7.52022-06-14
A vulnerability in live_check.shtml of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to obtain sensitive router information via execution of the exec cmd function.
- CVE-2022-31846HIGHCVSS 7.5EG 7.52022-06-14
A vulnerability in live_mfg.shtml of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to obtain sensitive router information via execution of the exec cmd function.
- CVE-2022-31847HIGHCVSS 7.5EG 7.52022-06-14
A vulnerability in /cgi-bin/ExportAllSettings.sh of WAVLINK WN579 X3 M79X3.V5030.180719 allows attackers to obtain sensitive router information via a crafted POST request.
- CVE-2022-32221CRITICALCVSS 9.8EG 9.82022-12-05
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT`…
- CVE-2022-32249HIGHCVSS 7.5EG 7.52022-07-12
Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit�s data volume to gain access to highly sensitive information (e.g., high privileged account credentials)
- CVE-2022-32328CRITICALCVSS 9.1EG 9.12022-06-14
Fast Food Ordering System v1.0 is vulnerable to Delete any file. via /ffos/classes/Master.php?f=delete_img.
- CVE-2022-32430HIGHCVSS 7.5EG 7.52022-07-21
An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application.
- CVE-2022-32530MEDIUMCVSS 4.8EG 7.82022-06-24
A CWE-668 Exposure of Resource to Wrong Sphere vulnerability exists that could cause users to be misled, hiding alarms, showing the wrong server connection option or the wrong control request when a mobile device has been compromised by a …
- CVE-2022-32559CRITICALCVSS 9.1EG 9.12022-06-14
An issue was discovered in Couchbase Server before 7.0.4. Random HTTP requests lead to leaked metrics.
- CVE-2022-32833MEDIUMCVSS 5.3EG 5.32022-12-15
An issue existed with the file paths used to store website data. The issue was resolved by improving how website data is stored. This issue is fixed in iOS 16. An unauthorized user may be able to access browsing history.
- CVE-2022-32883MEDIUMCVSS 5.5EG 5.52022-09-20
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Monterey 12.6, iOS 15.7 and iPadOS 15.7, iOS 16, macOS Big Sur 11.7. An app may be able to read sensitive location information.
- CVE-2022-32896MEDIUMCVSS 5.5EG 5.52023-02-27
This issue was addressed by enabling hardened runtime. This issue is fixed in macOS Monterey 12.6, macOS Big Sur 11.7. A user may be able to view sensitive user information.
- CVE-2022-33692MEDIUMCVSS 4.0EG 3.32022-07-12
Exposure of Sensitive Information in Messaging application prior to SMR Jul-2022 Release 1 allows local attacker to access imsi and iccid via log.
- CVE-2022-33694MEDIUMCVSS 4.0EG 3.32022-07-12
Exposure of Sensitive Information in CSC application prior to SMR Jul-2022 Release 1 allows local attacker to access wifi information via unprotected intent broadcasting.
- CVE-2022-33696MEDIUMCVSS 4.0EG 3.32022-07-12
Exposure of Sensitive Information in Telephony service prior to SMR Jul-2022 Release 1 allows local attacker to access imsi and iccid via log.
- CVE-2022-33698LOWCVSS 3.3EG 3.32022-07-12
Exposure of Sensitive Information in Telecom application prior to SMR Jul-2022 Release 1 allows local attackers to access ICCID via log.
- CVE-2022-33699LOWCVSS 2.0EG 2.32022-07-12
Exposure of Sensitive Information in getDsaSimImsi in TelephonyUI prior to SMR Jul-2022 Release 1 allows local attacker to access imsi via log.
- CVE-2022-33700LOWCVSS 2.0EG 2.32022-07-12
Exposure of Sensitive Information in putDsaSimImsi in TelephonyUI prior to SMR Jul-2022 Release 1 allows local attacker to access imsi via log.
- CVE-2022-33751HIGHCVSS 7.5EG 7.52022-06-16
CA Automic Automation 12.2 and 12.3 contain an insecure memory handling vulnerability in the Automic agent that could allow a remote attacker to potentially access sensitive data.
- CVE-2022-33753HIGHCVSS 8.8EG 8.82022-06-16
CA Automic Automation 12.2 and 12.3 contain an insecure file creation and handling vulnerability in the Automic agent that could allow a user to potentially elevate privileges.
- CVE-2022-34047HIGHCVSS 7.5EG 7.52022-07-20
An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows attackers to obtain usernames and passwords via view-source:http://IP_ADDRESS/set_safety.shtml?r=52300 and searching for [var syspasswd].
- CVE-2022-34364MEDIUMCVSS 4.4EG 4.42023-02-10
Dell BSAFE SSL-J, versions before 6.5 and version 7.0 contain a debug message revealing unnecessary information vulnerability. This may lead to disclosing sensitive information to a locally privileged user. .
- CVE-2022-34387MEDIUMCVSS 6.4EG 7.82023-02-11
Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this v…
- CVE-2022-34405HIGHCVSS 7.3EG 7.32023-01-26
An improper access control vulnerability was identified in the Realtek audio driver. A local authenticated malicious user may potentially exploit this vulnerability by waiting for an administrator to launch the application and attach to th…
- CVE-2022-34452LOWCVSS 2.7EG 2.72023-02-10
PowerPath Management Appliance with versions 3.3, 3.2*, 3.1 & 3.0* contains sensitive information disclosure vulnerability. An Authenticated admin user can able to exploit the issue and view sensitive information stored in the logs.
- CVE-2022-34457HIGHCVSS 7.3EG 7.82023-01-18
Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerability as it allows no…
- CVE-2022-34464MEDIUMCVSS 6.3EG 5.52022-07-12
A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.7.3). The affected application uses an improperly protected file to import SSH keys. This could allow attackers with access to the filesystem of the host on…
- CVE-2022-34765MEDIUMCVSS 5.5EG 5.32022-07-13
A CWE-73: External Control of File Name or Path vulnerability exists that could cause loading of unauthorized firmware images when user-controlled data is written to the file path. Affected Products: X80 advanced RTU Communication Module (…
- CVE-2022-34775MEDIUMCVSS 6.3EG 7.52022-08-22
Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to query the http://tgm-api.tabit.cloud/rsv/ma…
- CVE-2022-34867HIGHCVSS 7.3EG 7.32022-09-06
Unauthenticated Sensitive Information Disclosure vulnerability in WP Libre Form 2 plugin <= 2.0.8 at WordPress allows attackers to list and delete submissions. Affects only versions from 2.0.0 to 2.0.8.
Map vulnerabilities like CWE-668 to your infrastructure
EchelonGraph correlates every CVE — across CWE-668 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →