← Back
CWE-610

236 CVEs • Abstraction: Class

Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

JSON object

Loading...

CVEs (236)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Mozilla
1Thunderbird
Jun 17, 2026
Dec 22, 2022
N/A· v4
6.5 MEDIUM· v3
N/A· v2
When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example image...Show more
When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.Show less
1Google
1Android
Jun 17, 2026
Dec 16, 2022
N/A· v4
7.8 HIGH· v3
N/A· v2
In Multiple Locations, there is a possibility to launch arbitrary protected activities due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is...Show more
In Multiple Locations, there is a possibility to launch arbitrary protected activities due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-242845514Show less
1Google
1Android
Jun 17, 2026
Dec 16, 2022
N/A· v4
5.5 MEDIUM· v3
N/A· v2
In onPreferenceClick of AccountTypePreferenceLoader.java, there is a possible way to retrieve protected files from the Settings app due to a confused deputy. This could lead to local information disclosure with no additi...Show more
In onPreferenceClick of AccountTypePreferenceLoader.java, there is a possible way to retrieve protected files from the Settings app due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-220733496Show less
1Google
1Android
Jun 17, 2026
Dec 16, 2022
N/A· v4
5.5 MEDIUM· v3
N/A· v2
In multiple locations of NfcService.java, there is a possible disclosure of NFC tags due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interact...Show more
In multiple locations of NfcService.java, there is a possible disclosure of NFC tags due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-199291025Show less
1Ilias
1Ilias
Jun 17, 2026
Dec 7, 2022
N/A· v4
6.5 MEDIUM· v3
N/A· v2
ILIAS before 7.16 allows External Control of File Name or Path.
1Siemens
1Syngo Dynamics Cardiovascular Imaging And Information System
Jun 17, 2026
Nov 17, 2022
N/A· v4
7.5 HIGH· v3
N/A· v2
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write dat...Show more
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website’s application pool.Show less
1Siemens
1Syngo Dynamics Cardiovascular Imaging And Information System
Jun 17, 2026
Nov 17, 2022
N/A· v4
7.5 HIGH· v3
N/A· v2
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write dat...Show more
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website’s application pool.Show less
1Siemens
1Syngo Dynamics Cardiovascular Imaging And Information System
Jun 17, 2026
Nov 17, 2022
N/A· v4
7.5 HIGH· v3
N/A· v2
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write dat...Show more
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website’s application pool.Show less
1Siemens
1Syngo Dynamics Cardiovascular Imaging And Information System
Jun 17, 2026
Nov 17, 2022
N/A· v4
7.5 HIGH· v3
N/A· v2
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be r...Show more
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be retrieved from any folder accessible to the account assigned to the website’s application pool.Show less
1Siemens
1Syngo Dynamics Cardiovascular Imaging And Information System
Jun 17, 2026
Nov 17, 2022
N/A· v4
7.5 HIGH· v3
N/A· v2
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be r...Show more
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper read access control that could allow files to be retrieved from any folder accessible to the account assigned to the website’s application pool.Show less
1Acronis
1Cyber Protect Home Office
Jun 17, 2026
Nov 7, 2022
N/A· v4
7.8 HIGH· v3
N/A· v2
Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107.
1Jenkins
1Compuware Topaz For Total Test
Jun 17, 2026
Oct 19, 2022
N/A· v4
5.3 MEDIUM· v3
N/A· v2
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values...Show more
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.Show less
1Jenkins
1Compuware Source Code Download For Endevor, Pds, And Ispw
Jun 17, 2026
Oct 19, 2022
N/A· v4
5.3 MEDIUM· v3
N/A· v2
Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent pr...Show more
Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.Show less
1Perfact
1Openvpn Client
Jun 17, 2026
Oct 14, 2022
N/A· v4
8.8 HIGH· v3
N/A· v2
An attacker can take leverage on PerFact OpenVPN-Client versions 1.4.1.0 and prior to send the config command from any application running on the local host machine to force the back-end server into initializing a new op...Show more
An attacker can take leverage on PerFact OpenVPN-Client versions 1.4.1.0 and prior to send the config command from any application running on the local host machine to force the back-end server into initializing a new open-VPN instance with arbitrary open-VPN configuration. This could result in the attacker achieving execution with privileges of a SYSTEM user.Show less
1Onedev Project
1Onedev
Jun 17, 2026
Sep 13, 2022
N/A· v4
9.9 CRITICAL· v3
N/A· v2
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can defin...Show more
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous pattern, as it can be used to break out of Docker containers and, in most cases, gain root privileges on the host system. This issue allows regular (non-admin) users to potentially take over the build infrastructure of a OneDev instance. Attackers need to have an account (or be able to register one) and need permission to create a project. Since code.onedev.io has the right preconditions for this to be exploited by remote attackers, it could have been used to hijack builds of OneDev itself, e.g. by injecting malware into the docker images that are built and pushed to Docker Hub. The impact is increased by this as described before. Users are advised to upgrade to 7.3.0 or higher. There are no known workarounds for this issue.Show less
1Qnap
1Photo Station
Jun 17, 2026
Sep 8, 2022
N/A· v4
9.1 CRITICAL· v3
N/A· v2
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vuln...Show more
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and laterShow less
1Plugins360
1All In One Video Gallery
Jun 17, 2026
Sep 6, 2022
N/A· v4
8.2 HIGH· v3
N/A· v2
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the 'dl' parameter found in the ~/public/video.php file in versions up to, and includi...Show more
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the 'dl' parameter found in the ~/public/video.php file in versions up to, and including 2.6.0. This makes it possible for unauthenticated users to download sensitive files hosted on the affected server and forge requests to the server.Show less
1W3eden
1Download Manager
Jun 17, 2026
Sep 6, 2022
N/A· v4
8.8 HIGH· v3
N/A· v2
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in...Show more
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the 'file[files]' parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server.Show less
1Atlasgondal
1Export All Urls
Jun 17, 2026
Aug 29, 2022
N/A· v4
6.5 MEDIUM· v3
N/A· v2
The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete arbitrary file from...Show more
The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete arbitrary file from the serverShow less
1Wwbn
1Avideo
Jun 17, 2026
Aug 22, 2022
N/A· v4
6.5 MEDIUM· v3
N/A· v2
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attac...Show more
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.Show less