VYPR

CWE-668

Exposure of Resource to Wrong Sphere

ClassDraft

Description

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Hierarchy (View 1000)

CVEs mapped to this weakness (268)

page 9 of 14
  • CVE-2022-45438Jan 16, 2023
    risk 0.00cvss epss 0.01

    When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and…

  • CVE-2022-24913Jan 12, 2023
    risk 0.00cvss epss 0.00

    Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.

  • CVE-2018-25068Jan 6, 2023
    risk 0.00cvss epss 0.01

    A vulnerability has been found in devent globalpom-utils up to 4.5.0 and classified as critical. This vulnerability affects the function createTmpDir of the file globalpomutils-fileresources/src/main/java/com/anrisoftware/globalpom/fileresourcemanager/FileResourceManagerProvider.…

  • CVE-2022-45935Jan 6, 2023
    risk 0.00cvss epss 0.00

    Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version…

  • CVE-2015-10004Dec 27, 2022
    risk 0.00cvss epss 0.01

    Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.

  • CVE-2022-47410Dec 14, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Data about subscribers may be obtained via createAction operations.

  • CVE-2022-47411Dec 14, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Data about subscribers may be obtained via unsubscribeAction operations.

  • CVE-2022-21126Nov 29, 2022
    risk 0.00cvss epss 0.01

    The package com.github.samtools:htsjdk before 3.0.1 are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the createTempDir() function in util/IOUtil.java not checking for the existence of the temporary directory before attempting to create…

  • CVE-2022-41954Nov 25, 2022
    risk 0.00cvss epss 0.00

    MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-like operating systems (not Windows or macos), MPXJ's use of `File.createTempFile(..)` results in temporary files being created with the permissions `-rw-r--r--`.…

  • CVE-2022-41946Nov 23, 2022
    risk 0.00cvss epss 0.00

    pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will…

  • CVE-2022-3952Nov 11, 2022
    risk 0.00cvss epss 0.01

    A vulnerability has been found in ManyDesigns Portofino 5.3.2 and classified as problematic. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary file in directory with insecure…

  • CVE-2022-3866Nov 10, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.

  • CVE-2022-39315Oct 25, 2022
    risk 0.00cvss epss 0.01

    Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks…

  • CVE-2022-40316Sep 30, 2022
    risk 0.00cvss epss 0.01

    The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.

  • CVE-2022-34867Sep 6, 2022
    risk 0.00cvss epss 0.01

    Unauthenticated Sensitive Information Disclosure vulnerability in WP Libre Form 2 plugin <= 2.0.8 at WordPress allows attackers to list and delete submissions. Affects only versions from 2.0.0 to 2.0.8.

  • CVE-2021-3859Aug 26, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

  • CVE-2022-35936Aug 5, 2022
    risk 0.00cvss epss 0.01

    Ethermint is an Ethereum library. In Ethermint running versions before `v0.17.2`, the contract `selfdestruct` invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in the `DeleteAccount`function, all contracts that…

  • CVE-2022-36901Jul 27, 2022
    risk 0.00cvss epss 0.01

    Jenkins HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-30187Jul 12, 2022
    risk 0.00cvss epss 0.01

    Azure Storage Library Information Disclosure Vulnerability

  • CVE-2022-29247Jun 13, 2022
    risk 0.00cvss epss 0.01

    Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with…