CWE-668— Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.— MITRE CWE catalog
1,109 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-668page 16 of 23
- CVE-2022-35235MEDIUMCVSS 4.9EG 4.92022-08-23
Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThemes WPide plugin <= 2.6 at WordPress.
- CVE-2022-35288MEDIUMCVSS 6.5EG 6.52022-07-25
IBM Security Verify Information Queue 10.0.2 could allow a user to obtain sensitive information that could be used in further attacks against the system. IBM X-Force ID: 230818.
- CVE-2022-35406MEDIUMCVSS 4.3EG 4.32022-07-08
A URL disclosure issue was discovered in Burp Suite before 2022.6. If a user views a crafted response in the Repeater or Intruder, it may be incorrectly interpreted as a redirect.
- CVE-2022-35716MEDIUMCVSS 6.5EG 6.52022-08-01
IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could allow an authenticated user to obtain sensitive information in some instances due to improper securit…
- CVE-2022-35837MEDIUMCVSS 6.5EG 5.02022-09-13
Windows Graphics Component Information Disclosure Vulnerability
- CVE-2022-35936HIGHCVSS 8.2EG 8.22022-08-05
Ethermint is an Ethereum library. In Ethermint running versions before `v0.17.2`, the contract `selfdestruct` invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in the `Delet…
- CVE-2022-36226HIGHCVSS 7.2EG 7.22022-08-26
SiteServerCMS 5.X has a Remote-download-Getshell-vulnerability via /SiteServer/Ajax/ajaxOtherService.aspx.
- CVE-2022-36771MEDIUMCVSS 6.5EG 6.52022-09-28
IBM QRadar User Behavior Analytics could allow an authenticated user to obtain sensitive information from that they should not have access to. IBM X-Force ID: 232791.
- CVE-2022-36780MEDIUMCVSS 4.9EG 5.32022-09-13
Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;…
- CVE-2022-36829MEDIUMCVSS 6.2EG 5.52022-08-05
PendingIntent hijacking vulnerability in releaseAlarm in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.
- CVE-2022-36830MEDIUMCVSS 6.2EG 5.52022-08-05
PendingIntent hijacking vulnerability in cancelAlarmManager in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.
- CVE-2022-36875MEDIUMCVSS 6.6EG 5.52022-09-09
Improper restriction of broadcasting Intent in SaWebViewRelayActivity of?Waterplugin prior to version 2.2.11.22081151 allows attacker to access the file without permission.
- CVE-2022-37146MEDIUMCVSS 5.3EG 5.32022-09-08
The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users conf…
- CVE-2022-37438LOWCVSS 2.6EG 3.52022-08-16
In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user throug…
- CVE-2022-37703LOWCVSS 3.3EG 3.32022-09-13
In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly wi…
- CVE-2022-37958HIGHCVSS 8.1EG 7.52022-09-13
SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
- CVE-2022-37974MEDIUMCVSS 6.5EG 6.52022-10-11
Windows Mixed Reality Developer Tools Information Disclosure Vulnerability
- CVE-2022-37985MEDIUMCVSS 5.5EG 5.52022-10-11
Windows Graphics Component Information Disclosure Vulnerability
- CVE-2022-38006MEDIUMCVSS 6.5EG 6.52022-09-13
Windows Graphics Component Information Disclosure Vulnerability
- CVE-2022-38087MEDIUMCVSS 4.1EG 4.12023-05-10
Exposure of resource to wrong sphere in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
- CVE-2022-38184HIGHCVSS 7.5EG 7.52022-08-16
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.
- CVE-2022-38258HIGHCVSS 8.1EG 8.12022-09-08
A local file inclusion (LFI) vulnerability in D-Link DIR 819 v1.06 allows attackers to cause a Denial of Service (DoS) or access sensitive server information via manipulation of the getpage parameter in a crafted web request.
- CVE-2022-38400MEDIUMCVSS 5.9EG 5.92022-09-08
Mailform Pro CGI 4.3.1 and earlier allow a remote unauthenticated attacker to obtain the user input data by having a use of the product to access a specially crafted URL.
- CVE-2022-38474MEDIUMCVSS 4.3EG 4.32022-12-22
A website that had permission to access the microphone could record audio without the audio notification being shown. This bug does not allow the attacker to bypass the permission prompt - it only affects the notification shown once permis…
- CVE-2022-38599MEDIUMCVSS 6.5EG 6.52022-12-08
Teleport v3.2.2, Teleport v3.5.6-rc6, and Teleport v3.6.3-b2 was discovered to contain an information leak via the /user/get-role-list web interface.
- CVE-2022-3866MEDIUMCVSS 5.0EG 5.02022-11-10
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.
- CVE-2022-38770MEDIUMCVSS 5.3EG 5.32022-09-13
The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch other users' data upon a successful login request.
- CVE-2022-38813HIGHCVSS 8.1EG 8.12022-11-25
PHPGurukul Blood Donor Management System 1.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, delete the users, add and manage Blood Group, and Submit Report.
- CVE-2022-39015MEDIUMCVSS 6.5EG 6.52022-10-11
Under certain conditions, BOE AdminTools/ BOE SDK allows an attacker to access information which would otherwise be restricted.
- CVE-2022-39193MEDIUMCVSS 5.3EG 5.32023-01-20
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it…
- CVE-2022-39309MEDIUMCVSS 4.9EG 4.92022-10-14
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure vari…
- CVE-2022-39349MEDIUMCVSS 5.5EG 5.52022-10-25
The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle "share" intents coming from other components in the same device and convert them to tasks. …
- CVE-2022-3952LOWCVSS 2.6EG 2.62022-11-11
A vulnerability has been found in ManyDesigns Portofino 5.3.2 and classified as problematic. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary fil…
- CVE-2022-39857HIGHCVSS 7.3EG 5.52022-10-07
Improper access control vulnerability in CameraTestActivity in FactoryCameraFB prior to version 3.5.51 allows attackers to access broadcasting Intent as system uid privilege.
- CVE-2022-39860MEDIUMCVSS 4.4EG 3.52022-10-07
Improper access control vulnerability in QuickShare prior to version 13.2.3.5 allows attackers to access sensitive information via implicit broadcast.
- CVE-2022-39864LOWCVSS 3.3EG 7.52022-10-07
Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent.
- CVE-2022-39865MEDIUMCVSS 4.0EG 7.52022-10-07
Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
- CVE-2022-39866MEDIUMCVSS 4.0EG 7.52022-10-07
Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
- CVE-2022-39867MEDIUMCVSS 4.0EG 7.52022-10-07
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast.
- CVE-2022-39868MEDIUMCVSS 4.0EG 7.52022-10-07
Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
- CVE-2022-39869MEDIUMCVSS 4.0EG 7.52022-10-07
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.
- CVE-2022-39870MEDIUMCVSS 4.0EG 7.52022-10-07
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.
- CVE-2022-39871MEDIUMCVSS 4.0EG 7.52022-10-07
Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts.
- CVE-2022-39886MEDIUMCVSS 5.9EG 3.32022-11-09
Improper access control vulnerability in IpcRxServiceModeBigDataInfo in RIL prior to SMR Nov-2022 Release 1 allows local attacker to access Device information.
- CVE-2022-39952CRITICALCVSS 9.8EG 9.82023-02-16
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated …
- CVE-2022-40210MEDIUMCVSS 6.8EG 6.82023-05-10
Exposure of data element to wrong session in the Intel DCM software before version 5.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2022-40234MEDIUMCVSS 5.9EG 5.92022-09-19
Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus. If this generate…
- CVE-2022-4025MEDIUMCVSS 4.3EG 4.32023-01-02
Inappropriate implementation in Paint in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data outside an iframe via a crafted HTML page. (Chrome security severity: Low)
- CVE-2022-40523HIGHCVSS 7.1EG 7.12023-06-06
Information disclosure in Kernel due to indirect branch misprediction.
- CVE-2022-40525HIGHCVSS 7.1EG 7.12023-06-06
Information disclosure in Linux Networking Firmware due to unauthorized information leak during side channel analysis.
Map vulnerabilities like CWE-668 to your infrastructure
EchelonGraph correlates every CVE — across CWE-668 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →