CWE-668— Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.— MITRE CWE catalog
1,109 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-668page 9 of 23
- CVE-2021-37968MEDIUMCVSS 4.3EG 4.32021-10-08
Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2021-38004MEDIUMCVSS 4.3EG 4.32021-11-23
Insufficient policy enforcement in Autofill in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2021-38009MEDIUMCVSS 6.5EG 6.52021-12-23
Inappropriate implementation in cache in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
- CVE-2021-38130MEDIUMCVSS 6.5EG 6.52022-02-04
A potential Information leakage vulnerability has been identified in versions of Micro Focus Voltage SecureMail Mail Relay prior to 7.3.0.1. The vulnerability could be exploited to create an information leakage attack.
- CVE-2021-38376MEDIUMCVSS 5.3EG 5.32021-11-22
OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call.
- CVE-2021-38378MEDIUMCVSS 4.3EG 4.32021-11-22
OX App Suite 7.10.5 allows Information Exposure because a caching mechanism can caused a Modified By response to show a person's name.
- CVE-2021-38505MEDIUMCVSS 6.5EG 6.52021-12-08
Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to pr…
- CVE-2021-38587HIGHCVSS 7.5EG 7.52021-08-11
In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
- CVE-2021-3859HIGHCVSS 7.5EG 7.52022-08-26
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
- CVE-2021-38712HIGHCVSS 7.5EG 7.52021-08-16
OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents. NOTE: the vendor's recommended solution is to block the access via an NGINX configuration file.
- CVE-2021-38874MEDIUMCVSS 4.3EG 4.32022-04-27
IBM QRadar SIEM 7.3, 7.4, and 7.5 allows for users to access information across tenant and domain boundaries in some situations. IBM X-Force ID: 208397.
- CVE-2021-38879MEDIUMCVSS 5.3EG 5.32022-06-24
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitiv…
- CVE-2021-38904MEDIUMCVSS 6.5EG 6.52022-04-22
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings. IBM X-Force ID: 209693.
- CVE-2021-38905MEDIUMCVSS 4.3EG 4.32022-04-22
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow an authenticated user to view report pages that they should not have access to. IBM X-Force ID: 209697.
- CVE-2021-38924HIGHCVSS 7.5EG 7.52022-09-14
IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the…
- CVE-2021-38931MEDIUMCVSS 6.5EG 6.52021-12-09
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1, and 11.5 is vulnerable to an information disclosure as a result of a connected user having indirect read access to a table where they are not authorized to select from…
- CVE-2021-39045MEDIUMCVSS 5.5EG 5.52022-09-01
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a local attacker to obtain information due to the autocomplete feature on password input fields. IBM X-Force ID: 214345.
- CVE-2021-39127MEDIUMCVSS 5.3EG 5.32021-10-21
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10,…
- CVE-2021-39184MEDIUMCVSS 6.8EG 6.82021-10-12
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitr…
- CVE-2021-39212MEDIUMCVSS 4.4EG 4.42021-09-13
ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript …
- CVE-2021-39628LOWCVSS 3.3EG 3.32022-01-14
In StatusBar.java, there is a possible disclosure of notification content on the lockscreen due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction …
- CVE-2021-39631MEDIUMCVSS 5.5EG 5.52022-02-11
In clear_data_dlg_text of strings.xml, there is a possible situation when "Clear storage" functionality sets up the wrong security/privacy expectations due to a misleading message. This could lead to local information disclosure with no ad…
- CVE-2021-39633MEDIUMCVSS 5.5EG 5.52022-01-14
In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploita…
- CVE-2021-39646HIGHCVSS 7.5EG 7.52021-12-15
Product: AndroidVersions: Android kernelAndroid ID: A-201537251References: N/A
- CVE-2021-39648MEDIUMCVSS 4.1EG 4.12021-12-15
In gadget_dev_desc_UDC_show of configfs.c, there is a possible disclosure of kernel heap memory due to a race condition. This could lead to local information disclosure with System execution privileges needed. User interaction is not neede…
- CVE-2021-39715MEDIUMCVSS 4.4EG 4.42022-03-16
In __show_regs of process.c, there is a possible leak of kernel memory and addresses due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed…
- CVE-2021-39757MEDIUMCVSS 5.5EG 5.52022-03-30
In PermissionController, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: …
- CVE-2021-39777MEDIUMCVSS 5.5EG 5.52022-03-30
In Telephony, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. U…
- CVE-2021-39805MEDIUMCVSS 6.5EG 6.52022-04-12
In l2cble_process_sig_cmd of l2c_ble.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure through Bluetooth with no additional execution privileges needed. User interact…
- CVE-2021-39866MEDIUMCVSS 5.4EG 5.42021-10-05
A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens.
- CVE-2021-39884MEDIUMCVSS 4.3EG 4.32021-10-05
In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project.
- CVE-2021-39892MEDIUMCVSS 4.3EG 4.32022-01-18
In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users.
- CVE-2021-39898LOWCVSS 3.7EG 5.32021-11-05
In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.
- CVE-2021-39900LOWCVSS 2.0EG 2.72021-10-04
Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.
- CVE-2021-39915MEDIUMCVSS 5.3EG 5.32021-12-13
Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the…
- CVE-2021-39969HIGHCVSS 7.5EG 7.52022-01-03
There is an Unauthorized file access vulnerability in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality.
- CVE-2021-39971HIGHCVSS 7.5EG 7.52022-01-03
Password vault has a External Control of System or Configuration Setting vulnerability.Successful exploitation of this vulnerability could compromise confidentiality.
- CVE-2021-39972HIGHCVSS 7.5EG 7.52022-01-03
MyHuawei-App has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability.Successful exploitation of this vulnerability could compromise confidentiality.
- CVE-2021-39980MEDIUMCVSS 5.3EG 5.32022-01-03
Telephony application has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability.Successful exploitation of this vulnerability could lead to sensitive information disclosure.
- CVE-2021-40005HIGHCVSS 7.5EG 7.52022-01-10
The distributed data service component has a vulnerability in data access control. Successful exploitation of this vulnerability may affect data confidentiality.
- CVE-2021-40012HIGHCVSS 7.5EG 7.52022-07-12
Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality.
- CVE-2021-40051HIGHCVSS 7.5EG 7.52022-03-10
There is an unauthorized access vulnerability in system components. Successful exploitation of this vulnerability will affect confidentiality.
- CVE-2021-40086LOWCVSS 2.2EG 2.22021-08-25
An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on a page (that can only be viewed by an administrator). While…
- CVE-2021-40288HIGHCVSS 7.5EG 7.52021-12-07
A denial-of-service attack in WPA2, and WPA3-SAE authentication methods in TP-Link AX10v1 before V1_211014, allows a remote unauthenticated attacker to disconnect an already connected wireless client via sending with a wireless adapter spe…
- CVE-2021-40496MEDIUMCVSS 4.3EG 4.32021-10-12
SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an attacker with logon functionality, to exploit the authentication function by using POST and form field to…
- CVE-2021-40497MEDIUMCVSS 5.3EG 5.32021-10-12
SAP BusinessObjects Analysis (edition for OLAP) - versions 420, 430, allows an attacker to exploit certain application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation coul…
- CVE-2021-40639HIGHCVSS 7.5EG 7.52021-09-15
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.
- CVE-2021-40862HIGHCVSS 8.8EG 8.82021-09-15
HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configur…
- CVE-2021-41011HIGHCVSS 7.5EG 7.52021-09-22
LINE client for iOS before 11.15.0 might expose authentication information for a certain service to external entities under certain conditions. This is usually impossible, but in combination with a server-side bug, attackers could get this…
- CVE-2021-41032MEDIUMCVSS 6.3EG 5.42022-05-04
An improper access control vulnerability [CWE-284] in FortiOS versions 6.4.8 and prior and 7.0.3 and prior may allow an authenticated attacker with a restricted user profile to gather sensitive information and modify the SSL-VPN tunnel sta…
Map vulnerabilities like CWE-668 to your infrastructure
EchelonGraph correlates every CVE — across CWE-668 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →