VYPR

CWE-668

Exposure of Resource to Wrong Sphere

ClassDraft

Description

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Hierarchy (View 1000)

CVEs mapped to this weakness (268)

page 8 of 14
  • CVE-2023-44394Oct 16, 2023
    risk 0.00cvss epss 0.01

    MantisBT is an open source bug tracker. Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs. This issue has been addressed in commit `65c44883f` which has been…

  • CVE-2023-42792Oct 14, 2023
    risk 0.00cvss epss 0.01

    Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus,…

  • CVE-2023-39155Jul 26, 2023
    risk 0.00cvss epss 0.00

    Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

  • CVE-2023-34189Jul 25, 2023
    risk 0.00cvss epss 0.01

    Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could use general users to delete and update the process, which only the admin can operate occurrences.  …

  • CVE-2023-3299Jul 19, 2023
    risk 0.00cvss epss 0.00

    HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies using a block without a label generates unexpected results. Fixed in 1.6.0, 1.5.7, and 1.4.11.

  • CVE-2023-35151Jun 23, 2023
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki…

  • CVE-2023-34467Jun 23, 2023
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 3.5-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, the mail obfuscation configuration was not fully taken into account. While the mail displayed to the end user was obfuscated, the rest response…

  • CVE-2023-31103May 22, 2023
    risk 0.00cvss epss 0.01

    Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.  Attackers can change the immutable name and type of cluster of InLong. Users are advised to upgrade to Apache InLong's…

  • CVE-2023-31206May 22, 2023
    risk 0.00cvss epss 0.01

    Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong. Users are advised to upgrade to Apache InLong's 1.7.0…

  • CVE-2023-27564May 10, 2023
    risk 0.00cvss epss 0.01

    The n8n package 0.218.0 for Node.js allows Information Disclosure.

  • CVE-2023-29208Apr 15, 2023
    risk 0.00cvss epss 0.01

    XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view…

  • CVE-2023-29203Apr 15, 2023
    risk 0.00cvss epss 0.01

    XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with `uorgsuggest.vm`. This issue only concerns…

  • CVE-2023-1777Mar 31, 2023
    risk 0.00cvss epss 0.01

    Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.

  • CVE-2023-1775Mar 31, 2023
    risk 0.00cvss epss 0.01

    When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

  • CVE-2023-1402Mar 23, 2023
    risk 0.00cvss epss 0.01

    The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.

  • CVE-2023-28336Mar 23, 2023
    risk 0.00cvss epss 0.01

    Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.

  • CVE-2023-28433Mar 22, 2023
    risk 0.00cvss epss 0.01

    Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as…

  • CVE-2022-44310Feb 24, 2023
    risk 0.00cvss epss 0.01

    In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.

  • CVE-2023-0481Feb 24, 2023
    risk 0.00cvss epss 0.00

    In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.

  • CVE-2022-4903Feb 10, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in CodenameOne 7.0.70. It has been classified as problematic. Affected is an unknown function. The manipulation leads to use of implicit intent for sensitive communication. It is possible to launch the attack remotely. The complexity of an attack is…