CWE-668— Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.— MITRE CWE catalog
1,109 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-668page 20 of 23
- CVE-2023-39056MEDIUMCVSS 6.5EG 6.52023-09-18
An information leak in Coffee-jumbo v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
- CVE-2023-39058MEDIUMCVSS 6.5EG 6.52023-09-18
An information leak in THE_B_members card v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
- CVE-2023-39155MEDIUMCVSS 5.3EG 3.12023-07-26
Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.
- CVE-2023-39171HIGHCVSS 7.2EG 7.22023-12-07
SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin credentials.
- CVE-2023-39214HIGHCVSS 7.6EG 7.62023-08-08
Exposure of sensitive information in Zoom Client SDK's before 5.15.5 may allow an authenticated user to enable a denial of service via network access.
- CVE-2023-39250HIGHCVSS 7.8EG 7.82023-08-16
Dell Storage Integration Tools for VMware (DSITV) and Dell Storage vSphere Client Plugin (DSVCP) versions prior to 6.1.1 and Replay Manager for VMware (RMSV) versions prior to 3.1.2 contain an information disclosure vulnerability. A loc…
- CVE-2023-39383HIGHCVSS 7.5EG 7.52023-08-13
Vulnerability of input parameters being not strictly verified in the AMS module. Successful exploitation of this vulnerability may compromise apps' data security.
- CVE-2023-39478HIGHCVSS 8.8EG 6.62024-05-03
Softing Secure Integration Server Exposure of Resource to Wrong Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Softing Secure Integration Server…
- CVE-2023-3972HIGHCVSS 7.8EG 7.82023-11-01
A vulnerability was found in insights-client. This security issue occurs because of insecure file operations or unsafe handling of temporary files and directories that lead to local privilege escalation. Before the insights-client has been…
- CVE-2023-39974MEDIUMCVSS 5.3EG 5.32023-08-17
Exposure of Sensitive Information vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized actors to get the number of subscribers in a specific list.
- CVE-2023-40788MEDIUMCVSS 5.3EG 5.32023-09-19
SpringBlade <=V3.6.0 is vulnerable to Incorrect Access Control due to incorrect configuration in the default gateway resulting in unauthorized access to error logs
- CVE-2023-41120MEDIUMCVSS 6.5EG 6.52023-12-12
An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It permits an authenticated user to use DBMS_PROFILER to remov…
- CVE-2023-41742HIGHCVSS 7.5EG 4.32023-08-31
Excessive attack surface due to binding to an unrestricted IP address. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 30430, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.
- CVE-2023-41745MEDIUMCVSS 5.5EG 6.12023-08-31
Sensitive information disclosure due to excessive collection of system information. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 30991, Acronis Cyber Protect 15 (Linux, macOS, Windows) before buil…
- CVE-2023-41786MEDIUMCVSS 6.5EG 6.82023-11-23
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 70…
- CVE-2023-4217MEDIUMCVSS 5.3EG 3.12023-11-02
A vulnerability has been identified in PT-G503 Series versions prior to v5.2, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user sess…
- CVE-2023-4230MEDIUMCVSS 5.3EG 5.32023-08-24
A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, which has the potential to facilitate the collection of information on ioLogik 4000 Series devices. This vulnerability may enable …
- CVE-2023-42546MEDIUMCVSS 6.5EG 6.52023-11-07
Use of implicit intent for sensitive communication vulnerability in startAgreeToDisclaimerActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.
- CVE-2023-42547MEDIUMCVSS 6.5EG 6.52023-11-07
Use of implicit intent for sensitive communication vulnerability in startEmailValidationActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.
- CVE-2023-42549MEDIUMCVSS 6.5EG 6.52023-11-07
Use of implicit intent for sensitive communication vulnerability in startNameValidationActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.
- CVE-2023-42551MEDIUMCVSS 6.5EG 6.52023-11-07
Use of implicit intent for sensitive communication vulnerability in startTncActivity in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.
- CVE-2023-42715MEDIUMCVSS 5.5EG 5.52023-12-04
In telephony service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed
- CVE-2023-42716HIGHCVSS 7.5EG 7.52023-12-04
In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed
- CVE-2023-42717HIGHCVSS 7.5EG 7.52023-12-04
In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed
- CVE-2023-42718MEDIUMCVSS 5.5EG 5.52023-12-04
In dialer, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed
- CVE-2023-42792MEDIUMCVSS 6.5EG 6.52023-10-14
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs th…
- CVE-2023-43782MEDIUMCVSS 5.5EG 5.52023-09-22
Cadence through 0.9.2 2023-08-21 uses an Insecure /tmp/.cadence-aloop-daemon.x Temporary File. The file is used even if it has been created by a local adversary before Cadence started. The adversary can then delete the file, disrupting Cad…
- CVE-2023-43783HIGHCVSS 7.5EG 7.52023-09-22
Cadence through 0.9.2 2023-08-21 uses an Insecure /tmp/cadence-wineasio.reg Temporary File. The filename is used even if it has been created by a local adversary before Cadence started. The adversary can leverage this to create or overwrit…
- CVE-2023-43784HIGHCVSS 7.5EG 7.52023-09-22
Plesk Onyx 17.8.11 has accessKeyId and secretAccessKey fields that are related to an Amazon AWS Firehose component. NOTE: the vendor's position is that there is no security threat.
- CVE-2023-44101HIGHCVSS 7.5EG 7.52023-10-11
The Bluetooth module has a vulnerability in permission control for broadcast notifications.Successful exploitation of this vulnerability may affect confidentiality.
- CVE-2023-44102MEDIUMCVSS 5.3EG 5.32023-10-11
Broadcast permission control vulnerability in the Bluetooth module.Successful exploitation of this vulnerability can cause the Bluetooth function to be unavailable.
- CVE-2023-44122HIGHCVSS 7.8EG 6.12023-09-27
The vulnerability is to theft of arbitrary files with system privilege in the LockScreenSettings ("com.lge.lockscreensettings") app in the "com/lge/lockscreensettings/dynamicwallpaper/MyCategoryGuideActivity.java" file. The main problem is…
- CVE-2023-44124LOWCVSS 3.3EG 6.12023-09-27
The vulnerability is to theft of arbitrary files with system privilege in the Screen recording ("com.lge.gametools.gamerecorder") app in the "com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java" file. The main problem is…
- CVE-2023-44394MEDIUMCVSS 4.3EG 4.32023-10-16
MantisBT is an open source bug tracker. Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs. This issue has been address…
- CVE-2023-45145LOWCVSS 3.6EG 3.62023-10-18
Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition …
- CVE-2023-45357MEDIUMCVSS 6.5EG 4.32023-10-17
Archer Platform 6.x before 6.13 P2 HF2 (6.13.0.2.2) contains a sensitive information disclosure vulnerability. An authenticated attacker could potentially obtain access to sensitive information via a popup warning message. 6.14 (6.14.0) is…
- CVE-2023-45911CRITICALCVSS 9.8EG 9.82023-10-18
An issue in WIPOTEC GmbH ComScale v4.3.29.21344 and v4.4.12.723 allows unauthenticated attackers to login as any user without a password.
- CVE-2023-48291MEDIUMCVSS 4.3EG 4.32023-12-21
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs th…
- CVE-2023-4910MEDIUMCVSS 5.5EG 5.52023-11-06
A flaw was found In 3Scale Admin Portal. If a user logs out from the personal tokens page and then presses the back button in the browser, the tokens page is rendered from the browser cache.
- CVE-2023-4933MEDIUMCVSS 5.3EG 5.32023-10-16
The WP Job Openings WordPress plugin before 3.4.3 does not block listing the contents of the directories where it stores attachments to job applications, allowing unauthenticated visitors to list and download private attachments if the aut…
- CVE-2023-49342HIGHCVSS 7.8EG 6.02023-12-14
Temporary data passed between application components by Budgie Extras Clockworks applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attacke…
- CVE-2023-49343HIGHCVSS 7.8EG 6.02023-12-14
Temporary data passed between application components by Budgie Extras Dropby applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers m…
- CVE-2023-49344HIGHCVSS 7.8EG 6.02023-12-14
Temporary data passed between application components by Budgie Extras Window Shuffler applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. At…
- CVE-2023-49345HIGHCVSS 7.8EG 6.02023-12-14
Temporary data passed between application components by Budgie Extras Takeabreak applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attacke…
- CVE-2023-49346HIGHCVSS 7.8EG 6.02023-12-14
Temporary data passed between application components by Budgie Extras WeatherShow applet could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attack…
- CVE-2023-49347HIGHCVSS 7.8EG 6.02023-12-14
Temporary data passed between application components by Budgie Extras Windows Previews could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attacker…
- CVE-2023-50328LOWCVSS 3.7EG 3.72024-02-02
IBM PowerSC 1.3, 2.0, and 2.1 may allow a remote attacker to view session identifiers passed via URL query strings. IBM X-Force ID: 275110.
- CVE-2023-52700MEDIUMCVSS 5.5EG 5.52024-05-21
In the Linux kernel, the following vulnerability has been resolved: tipc: fix kernel warning when sending SYN message When sending a SYN message, this kernel stack trace is observed: ... [ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x5…
- CVE-2023-53392HIGHCVSS 7.1EG 7.12025-09-18
In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix kernel panic during warm reset During warm reset device->fw_client is set to NULL. If a bus driver is registered after this NULL setting and befo…
- CVE-2023-5542MEDIUMCVSS 4.3EG 3.32023-11-09
Students in "Only see own membership" groups could see other students in the group, which should be hidden.
Map vulnerabilities like CWE-668 to your infrastructure
EchelonGraph correlates every CVE — across CWE-668 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →