CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-668

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-44549 668 2022-11-09 2022-11-10
0.0
None ??? ??? ??? ??? ??? ???
The LBS module has a vulnerability in geofencing API access. Successful exploitation of this vulnerability may cause third-party apps to access the geofencing APIs without authorization, affecting user confidentiality.
2 CVE-2022-42442 668 2022-11-03 2022-11-04
0.0
None ??? ??? ??? ??? ??? ???
"IBM Robotic Process Automation for Cloud Pak 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to exposure of the first tenant owner e-mail address to users with access to the container platform. IBM X-Force ID: 238214."
3 CVE-2022-40816 668 2022-09-27 2022-09-29
0.0
None ??? ??? ??? ??? ??? ???
Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web socket connection, so that a logged-in attacker would be able to fetch personal data of other users by querying the Zammad API. This issue is fixed in , 5.2.2.
4 CVE-2022-40768 668 +Info 2022-09-18 2022-11-08
0.0
None ??? ??? ??? ??? ??? ???
drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
5 CVE-2022-40316 668 2022-09-30 2022-10-04
0.0
None ??? ??? ??? ??? ??? ???
The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.
6 CVE-2022-40234 668 +Info 2022-09-19 2022-09-21
0.0
None ??? ??? ??? ??? ??? ???
Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus. If this generated .crt file is shared, an attacker can obtain the private key information for the uploaded certificate. IBM X-Force ID: 235718.
7 CVE-2022-39886 668 2022-11-09 2022-11-10
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in IpcRxServiceModeBigDataInfo in RIL prior to SMR Nov-2022 Release 1 allows local attacker to access Device information.
8 CVE-2022-39871 668 2022-10-07 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts.
9 CVE-2022-39870 668 2022-10-07 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.
10 CVE-2022-39869 668 2022-10-07 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.
11 CVE-2022-39868 668 2022-10-07 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
12 CVE-2022-39867 668 2022-10-07 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast.
13 CVE-2022-39866 668 2022-10-07 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
14 CVE-2022-39865 668 2022-10-07 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
15 CVE-2022-39864 668 2022-10-07 2022-10-11
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent.
16 CVE-2022-39860 668 2022-10-07 2022-10-12
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in QuickShare prior to version 13.2.3.5 allows attackers to access sensitive information via implicit broadcast.
17 CVE-2022-39857 668 2022-10-07 2022-10-07
0.0
None ??? ??? ??? ??? ??? ???
Improper access control vulnerability in CameraTestActivity in FactoryCameraFB prior to version 3.5.51 allows attackers to access broadcasting Intent as system uid privilege.
18 CVE-2022-39349 668 2022-10-25 2022-10-28
0.0
None ??? ??? ??? ??? ??? ???
The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle "share" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app's external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user's notes and the app's preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds.
19 CVE-2022-39315 668 2022-10-25 2022-10-26
0.0
None ??? ??? ??? ??? ??? ???
Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.
20 CVE-2022-39309 668 2022-10-14 2022-10-21
0.0
None ??? ??? ??? ??? ??? ???
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
21 CVE-2022-39015 668 2022-10-11 2022-10-14
0.0
None ??? ??? ??? ??? ??? ???
Under certain conditions, BOE AdminTools/ BOE SDK allows an attacker to access information which would otherwise be restricted.
22 CVE-2022-38813 668 2022-11-25 2022-11-29
0.0
None ??? ??? ??? ??? ??? ???
PHPGurukul Blood Donor Management System 1.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, delete the users, add and manage Blood Group, and Submit Report.
23 CVE-2022-38770 668 2022-09-13 2022-09-17
0.0
None ??? ??? ??? ??? ??? ???
The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch other users' data upon a successful login request.
24 CVE-2022-38400 668 2022-09-08 2022-09-14
0.0
None ??? ??? ??? ??? ??? ???
Mailform Pro CGI 4.3.1 and earlier allow a remote unauthenticated attacker to obtain the user input data by having a use of the product to access a specially crafted URL.
25 CVE-2022-38258 668 DoS File Inclusion 2022-09-08 2022-09-15
0.0
None ??? ??? ??? ??? ??? ???
A local file inclusion (LFI) vulnerability in D-Link DIR 819 v1.06 allows attackers to cause a Denial of Service (DoS) or access sensitive server information via manipulation of the getpage parameter in a crafted web request.
26 CVE-2022-38184 668 2022-08-16 2022-08-17
0.0
None ??? ??? ??? ??? ??? ???
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.
27 CVE-2022-38006 668 2022-09-13 2022-09-16
0.0
None ??? ??? ??? ??? ??? ???
Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-34728, CVE-2022-35837.
28 CVE-2022-37985 668 2022-10-11 2022-10-12
0.0
None ??? ??? ??? ??? ??? ???
Windows Graphics Component Information Disclosure Vulnerability.
29 CVE-2022-37974 668 2022-10-11 2022-10-12
0.0
None ??? ??? ??? ??? ??? ???
Windows Mixed Reality Developer Tools Information Disclosure Vulnerability.
30 CVE-2022-37958 668 2022-09-13 2022-09-16
0.0
None ??? ??? ??? ??? ??? ???
SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Disclosure Vulnerability.
31 CVE-2022-37703 668 +Info 2022-09-13 2022-10-01
0.0
None ??? ??? ??? ??? ??? ???
In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.
32 CVE-2022-37438 668 +Info 2022-08-16 2022-08-18
0.0
None ??? ??? ??? ??? ??? ???
In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. The vulnerability requires user access to create and share dashboards using Splunk Web.
33 CVE-2022-37146 668 2022-09-08 2022-09-13
0.0
None ??? ??? ??? ??? ??? ???
The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider take significantly longer than those for invalid users, allowing for valid users to be enumerated by an unauthenticated remote attacker. Note that the lockout policy implemented in Plextrac version 1.17.0 makes it impossible to distinguish between valid, locked user accounts and user accounts that do not exist, but does not prevent valid, unlocked users from being enumerated.
34 CVE-2022-36901 668 2022-07-27 2022-08-03
0.0
None ??? ??? ??? ??? ??? ???
Jenkins HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
35 CVE-2022-36875 668 2022-09-09 2022-09-21
0.0
None ??? ??? ??? ??? ??? ???
Improper restriction of broadcasting Intent in SaWebViewRelayActivity of?Waterplugin prior to version 2.2.11.22081151 allows attacker to access the file without permission.
36 CVE-2022-36830 668 2022-08-05 2022-10-27
0.0
None ??? ??? ??? ??? ??? ???
PendingIntent hijacking vulnerability in cancelAlarmManager in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.
37 CVE-2022-36829 668 2022-08-05 2022-10-27
0.0
None ??? ??? ??? ??? ??? ???
PendingIntent hijacking vulnerability in releaseAlarm in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.
38 CVE-2022-36780 668 2022-09-13 2022-09-16
0.0
None ??? ??? ??? ??? ??? ???
Avdor CIS - crystal quality Credentials Management Errors. The product is phone call recorder, you can hear all the recorded calls without authenticate to the system. Attacker sends crafted URL to the system: ip:port//V=2;ChannellD=number;Ext=number;Command=startLM;Client=number;Request=number;R=number number - id of the recorded number.
39 CVE-2022-36771 668 +Info 2022-09-28 2022-09-28
0.0
None ??? ??? ??? ??? ??? ???
IBM QRadar User Behavior Analytics could allow an authenticated user to obtain sensitive information from that they should not have access to. IBM X-Force ID: 232791.
40 CVE-2022-36226 668 2022-08-26 2022-08-31
0.0
None ??? ??? ??? ??? ??? ???
SiteServerCMS 5.X has a Remote-download-Getshell-vulnerability via /SiteServer/Ajax/ajaxOtherService.aspx.
41 CVE-2022-36074 668 2022-09-15 2022-09-19
0.0
None ??? ??? ??? ??? ??? ???
Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue.
42 CVE-2022-35936 668 2022-08-05 2022-08-13
0.0
None ??? ??? ??? ??? ??? ???
Ethermint is an Ethereum library. In Ethermint running versions before `v0.17.2`, the contract `selfdestruct` invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in the `DeleteAccount`function, all contracts that used the identical bytecode (i.e shared the same `CodeHash`) will also stop working once one contract invokes `selfdestruct`, even though the other contracts did not invoke the `selfdestruct` OPCODE. This vulnerability has been patched in Ethermint version v0.18.0. The patch has state machine-breaking changes for applications using Ethermint, so a coordinated upgrade procedure is required. A workaround is available. If a contract is subject to DoS due to this issue, the user can redeploy the same contract, i.e. with identical bytecode, so that the original contract's code is recovered. The new contract deployment restores the `bytecode hash -> bytecode` entry in the internal state.
43 CVE-2022-35837 668 2022-09-13 2022-11-14
0.0
None ??? ??? ??? ??? ??? ???
Windows Graphics Component Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-34728, CVE-2022-38006.
44 CVE-2022-35716 668 +Info 2022-08-01 2022-08-05
0.0
None ??? ??? ??? ??? ??? ???
IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could allow an authenticated user to obtain sensitive information in some instances due to improper security checking. IBM X-Force ID: 231360.
45 CVE-2022-35406 668 2022-07-08 2022-07-16
4.3
None Remote Medium Not required Partial None None
A URL disclosure issue was discovered in Burp Suite before 2022.6. If a user views a crafted response in the Repeater or Intruder, it may be incorrectly interpreted as a redirect.
46 CVE-2022-35288 668 +Info 2022-07-25 2022-08-01
0.0
None ??? ??? ??? ??? ??? ???
IBM Security Verify Information Queue 10.0.2 could allow a user to obtain sensitive information that could be used in further attacks against the system. IBM X-Force ID: 230818.
47 CVE-2022-35235 668 2022-08-23 2022-08-26
0.0
None ??? ??? ??? ??? ??? ???
Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThemes WPide plugin <= 2.6 at WordPress.
48 CVE-2022-34867 668 2022-09-06 2022-09-09
0.0
None ??? ??? ??? ??? ??? ???
Unauthenticated Sensitive Information Disclosure vulnerability in WP Libre Form 2 plugin <= 2.0.8 at WordPress allows attackers to list and delete submissions. Affects only versions from 2.0.0 to 2.0.8.
49 CVE-2022-34775 668 2022-08-22 2022-08-26
0.0
None ??? ??? ??? ??? ??? ???
Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to query the http://tgm-api.tabit.cloud/rsv/management/{reservationId}?organization={orgId} API which returns a lot of data regarding the reservation (OWASP: API3): Name, mail, phone number, the number of visits of the user to this specific restaurant, the money he spent there, the money he spent on alcohol, whether he left a deposit etc. This information can easily be used for a phishing attack.
50 CVE-2022-34765 668 2022-07-13 2022-07-21
0.0
None ??? ??? ??? ??? ??? ???
A CWE-73: External Control of File Name or Path vulnerability exists that could cause loading of unauthorized firmware images when user-controlled data is written to the file path. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V2.01 and later), OPC UA Modicon Communication Module (BMENUA0100) (V1.10 and prior)
Total number of vulnerabilities : 611   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.