VYPR

CWE-668

Exposure of Resource to Wrong Sphere

ClassDraft

Description

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Hierarchy (View 1000)

CVEs mapped to this weakness (268)

page 2 of 14
  • CVE-2017-15393HigFeb 7, 2018
    risk 0.57cvss 8.8epss 0.01

    Insufficient Policy Enforcement in Devtools remote debugging in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to obtain access to remote debugging functionality via a crafted HTML page, aka a Referer leak.

  • CVE-2017-15592HigOct 18, 2017
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishandled for translated guests.

  • CVE-2026-8958HigMay 19, 2026
    risk 0.56cvss 8.6epss 0.00

    Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

  • CVE-2026-23763HigJan 22, 2026
    risk 0.55cvss epss 0.00

    VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a local privilege escalation vulnerability in the VBMatrix VAIO virtual audio driver (vbmatrixvaio64*_win10.sys). The driver allocates a 128-byte non-paged pool buffer…

  • CVE-2024-43704HigNov 18, 2024
    risk 0.55cvss 8.4epss 0.00

    Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process.

  • CVE-2017-5648CriApr 17, 2017
    risk 0.53cvss 9.1epss 0.13

    While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a…

  • CVE-2026-42535CriJun 8, 2026
    risk 0.52cvss 9.1epss 0.01

    A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue.

  • CVE-2025-32428CriApr 15, 2025
    risk 0.52cvss epss 0.01

    Jupyter Remote Desktop Proxy allows you to run a Linux Desktop on a JupyterHub. jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by…

  • CVE-2023-5751HigJun 4, 2024
    risk 0.51cvss 7.8epss 0.00

    A local attacker with low privileges can read and modify any users files and cause a DoS in the working directory of the affected products due to exposure of resource to wrong sphere. 

  • CVE-2024-21813HigMay 16, 2024
    risk 0.51cvss 7.9epss 0.00

    Exposure of resource to wrong sphere in some Intel(R) DTT software installers may allow an authenticated user to potentially enable escalation of privilege via local access.

  • CVE-2023-26243HigApr 27, 2023
    risk 0.51cvss 7.8epss 0.00

    An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The decryption binary used to decrypt firmware files has an information leak that allows an attacker to read the AES key and initialization vector from memory. An…

  • CVE-2018-10361HigApr 25, 2018
    risk 0.51cvss 7.8epss 0.00

    An issue was discovered in KTextEditor 5.34.0 through 5.45.0. Insecure handling of temporary files in the KTextEditor's kauth_ktexteditor_helper service (as utilized in the Kate text editor) can allow other unprivileged users on the local system to gain root privileges. The…

  • CVE-2017-8185HigNov 22, 2017
    risk 0.51cvss 7.8epss 0.00

    ME906s-158 earlier than ME906S_Installer_13.1805.10.3 versions has a privilege elevation vulnerability. An attacker could exploit this vulnerability to modify the configuration information containing malicious files and trick users into executing the files, resulting in the…

  • CVE-2026-44552HigMay 15, 2026
    risk 0.50cvss 8.7epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When two or more Open WebUI instances share a Redis database (a supported and…

  • CVE-2026-39911HigApr 9, 2026
    risk 0.50cvss 8.8epss 0.01

    Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript…

  • CVE-2026-28806HigMar 10, 2026
    risk 0.50cvss 8.8epss 0.00

    Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target…

  • CVE-2018-6910HigFeb 13, 2018
    risk 0.50cvss 7.5epss 0.19

    DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php.

  • CVE-2023-35696HigJul 10, 2023
    risk 0.49cvss 7.5epss 0.01

    Unauthenticated endpoints in the SICK ICR890-4 could allow an unauthenticated remote attacker to retrieve sensitive information about the device via HTTP requests.

  • CVE-2023-2703HigMay 23, 2023
    risk 0.49cvss 7.5epss 0.01

    Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Finex Media Competition Management System allows Retrieve Embedded Sensitive Data, Collect Data as Provided by Users. This issue affects Competition Management System: before 23.07.

  • CVE-2017-18073HigApr 11, 2018
    risk 0.49cvss 7.5epss 0.01

    In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 820, SD 820A, SD 835, the HLOS can gain access to unauthorized memory.