VYPR

CWE-668

Exposure of Resource to Wrong Sphere

ClassDraft

Description

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Hierarchy (View 1000)

CVEs mapped to this weakness (268)

page 10 of 14
  • CVE-2022-24823May 6, 2022
    risk 0.00cvss epss 0.01

    Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can…

  • CVE-2022-24897May 2, 2022
    risk 0.00cvss epss 0.01

    APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations…

  • CVE-2022-1385Apr 19, 2022
    risk 0.00cvss epss 0.01

    Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

  • CVE-2022-27817Apr 14, 2022
    risk 0.00cvss epss 0.00

    SWHKD 1.1.5 consumes the keyboard events of unintended users. This could potentially cause an information leak, but is usually a denial of functionality.

  • CVE-2022-27814Apr 14, 2022
    risk 0.00cvss epss 0.00

    SWHKD 1.1.5 allows arbitrary file-existence tests via the -c option.

  • CVE-2022-27818Apr 7, 2022
    risk 0.00cvss epss 0.02

    SWHKD 1.1.5 unsafely uses the /tmp/swhkd.sock pathname. There can be an information leak or denial of service.

  • CVE-2022-27772Mar 30, 2022
    risk 0.00cvss epss 0.01

    spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products…

  • CVE-2022-28160Mar 29, 2022
    risk 0.00cvss epss 0.01

    Jenkins Tests Selector Plugin 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller.

  • CVE-2022-0315Mar 24, 2022
    risk 0.00cvss epss 0.01

    Insecure Temporary File in GitHub repository horovod/horovod prior to 0.24.0.

  • CVE-2021-4180Mar 23, 2022
    risk 0.00cvss epss 0.01

    An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the www_authenticate_uri parameter (which is visible to all end users) in configuration files. This would…

  • CVE-2022-21718Mar 22, 2022
    risk 0.00cvss epss 0.01

    Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth…

  • CVE-2022-24742Mar 14, 2022
    risk 0.00cvss epss 0.01

    Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must…

  • CVE-2022-24747Mar 9, 2022
    risk 0.00cvss epss 0.01

    Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be…

  • CVE-2022-0762Feb 26, 2022
    risk 0.00cvss epss 0.01

    Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3.

  • CVE-2022-0736Feb 23, 2022
    risk 0.00cvss epss 0.02

    Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.

  • CVE-2022-25336Feb 18, 2022
    risk 0.00cvss epss 0.01

    Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced.

  • CVE-2020-13670Feb 11, 2022
    risk 0.00cvss epss 0.01

    Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10;…

  • CVE-2022-23563Feb 4, 2022
    risk 0.00cvss epss 0.00

    Tensorflow is an Open Source Machine Learning Framework. In multiple places, TensorFlow uses `tempfile.mktemp` to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check…

  • CVE-2022-21724Feb 2, 2022
    risk 0.00cvss epss 0.03

    pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin…

  • CVE-2021-23484Jan 28, 2022
    risk 0.00cvss epss 0.02

    The package zip-local before 0.3.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction of a crafted file outside the intended extraction directory.