CWE-669
Incorrect Resource Transfer Between Spheres
Description
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Hierarchy (View 1000)
CVEs mapped to this weakness (54)
page 3 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2002-0055 | 0.03 | — | 0.38 | Mar 8, 2002 | SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 allows remote attackers to cause a denial of service via a command with a malformed data transfer (BDAT) request. | |||
| CVE-2025-67895 | 0.00 | — | 0.01 | Dec 17, 2025 | Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you… | |||
| CVE-2025-46553 | — | 0.00 | — | 0.00 | May 5, 2025 | @misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn't enforced. Misskey… | ||
| CVE-2024-37891 | 0.00 | — | 0.01 | Jun 17, 2024 | urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support,… | |||
| CVE-2024-29018 | 0.00 | — | 0.01 | Mar 20, 2024 | Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be… | |||
| CVE-2022-46173 | — | 0.00 | — | 0.01 | Dec 28, 2022 | Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad… | ||
| CVE-2022-39225 | 0.00 | — | 0.00 | Sep 23, 2022 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an… | |||
| CVE-2022-35916 | 0.00 | — | 0.00 | Aug 1, 2022 | OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls,… | |||
| CVE-2021-25973 | — | 0.00 | — | 0.01 | Nov 2, 2021 | In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only. | ||
| CVE-2020-15257 | 0.00 | — | 0.03 | Dec 1, 2020 | containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified… | |||
| CVE-2019-10753 | — | 0.00 | — | 0.01 | Sep 5, 2019 | In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure… | ||
| CVE-2019-12728 | — | 0.00 | — | 0.01 | Jun 4, 2019 | Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users' apps were not resolving dependencies over cleartext HTTP. | ||
| CVE-2019-10248 | — | 0.00 | — | 0.00 | Apr 22, 2019 | Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected. | ||
| CVE-2004-0872 | 0.00 | — | 0.03 | Sep 16, 2004 | Opera does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie… |
- CVE-2002-0055Mar 8, 2002risk 0.03cvss —epss 0.38
SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 allows remote attackers to cause a denial of service via a command with a malformed data transfer (BDAT) request.
- CVE-2025-67895Dec 17, 2025risk 0.00cvss —epss 0.01
Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you…
- CVE-2025-46553May 5, 2025risk 0.00cvss —epss 0.00
@misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn't enforced. Misskey…
- CVE-2024-37891Jun 17, 2024risk 0.00cvss —epss 0.01
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support,…
- CVE-2024-29018Mar 20, 2024risk 0.00cvss —epss 0.01
Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be…
- CVE-2022-46173Dec 28, 2022risk 0.00cvss —epss 0.01
Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad…
- CVE-2022-39225Sep 23, 2022risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an…
- CVE-2022-35916Aug 1, 2022risk 0.00cvss —epss 0.00
OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls,…
- CVE-2021-25973Nov 2, 2021risk 0.00cvss —epss 0.01
In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only.
- CVE-2020-15257Dec 1, 2020risk 0.00cvss —epss 0.03
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified…
- CVE-2019-10753Sep 5, 2019risk 0.00cvss —epss 0.01
In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure…
- CVE-2019-12728Jun 4, 2019risk 0.00cvss —epss 0.01
Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users' apps were not resolving dependencies over cleartext HTTP.
- CVE-2019-10248Apr 22, 2019risk 0.00cvss —epss 0.00
Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected.
- CVE-2004-0872Sep 16, 2004risk 0.00cvss —epss 0.03
Opera does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie…