CVEbaza.plCWE DictionaryCWE-840
Common Weakness Enumeration

CWE-840

CVE: 88
CVE vulnerabilities with CWE-840 (88)
9.8
CVSS
CRITICAL
CVE-2022-4719

Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.5.

pub. 2022-12-27
9.8
CVSS
CRITICAL
CVE-2022-3363

Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.0a7.

pub. 2022-10-26
9.8
CVSS
CRITICAL
CVE-2022-32207

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

pub. 2022-07-07
9.8
CVSS
CRITICAL
CVE-2021-4171

calibre-web is vulnerable to Business Logic Errors

pub. 2022-01-17
9.3
CVSS
CRITICAL
CVE-2024-39671

Access control vulnerability in the security verification module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

pub. 2024-07-25
8.8
CVSS
HIGH
CVE-2023-6514

The Bluetooth module of some Huawei Smart Screen products has an identity authentication bypass vulnerability. Successful exploitation of this vulnerability may allow attackers to access restricted functions.  Successful exploitation of this vulnerability may allow attackers to access restricted functions.

pub. 2023-12-06
8.8
CVSS
HIGH
CVE-2022-0935

Host Header injection in password Reset in GitHub repository livehelperchat/livehelperchat prior to 3.97.

pub. 2022-04-07
8.5
CVSS
HIGH
CVE-2024-54098

Service logic error vulnerability in the system service module Impact: Successful exploitation of this vulnerability may affect service integrity.

pub. 2024-12-12
8.3
CVSS
HIGH
CVE-2019-3787

Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account.

pub. 2019-06-19
7.7
CVSS
HIGH
CVE-2025-1908

An issue has been discovered in GitLab EE/CE that could allow an attacker to track users' browsing activities, potentially leading to full account take-over, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.

pub. 2025-04-24
7.5
CVSS
HIGH
CVE-2022-27782

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

pub. 2022-06-02
7.5
CVSS
HIGH
CVE-2022-0524

Business Logic Errors in GitHub repository publify/publify prior to 9.2.7.

pub. 2022-02-08
7.5
CVSS
HIGH
CVE-2021-22926

libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.

pub. 2021-08-05
7.4
CVSS
HIGH
CVE-2022-1155

Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10.

pub. 2022-03-30
7.3
CVSS
HIGH
CVE-2025-54606

Status verification vulnerability in the lock screen module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

pub. 2025-08-06
7.3
CVSS
HIGH
CVE-2025-54611

EXTRA_REFERRER resource read vulnerability in the Gallery module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

pub. 2025-08-06
7.3
CVSS
HIGH
CVE-2024-58043

Permission bypass vulnerability in the window module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

pub. 2025-03-04
7.1
CVSS
HIGH
CVE-2024-51523

Information management vulnerability in the Gallery module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

pub. 2024-11-05
7.1
CVSS
HIGH
CVE-2024-1456

An S3 bucket takeover vulnerability was identified in the h2oai/h2o-3 repository. The issue involves the S3 bucket 'http://s3.amazonaws.com/h2o-training', which was found to be vulnerable to unauthorized takeover.

pub. 2024-04-16
7.1
CVSS
HIGH
CVE-2023-6017

H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL.

pub. 2023-11-16
Showing 20 of 88 vulnerabilities
Information
ID: CWE-840
Vulnerabilities: 88
MITRE CWE ↗
← CWE Dictionary