CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Description
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79
CVEs mapped to this weakness (7,319)
page 104 of 366| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-48189 | Med | 0.37 | 5.7 | 0.00 | Jun 1, 2026 | An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects… | ||
| CVE-2026-48210 | Med | 0.37 | 5.7 | 0.00 | May 31, 2026 | An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the… | ||
| CVE-2026-44409 | Med | 0.37 | 5.7 | 0.00 | May 22, 2026 | There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure. | ||
| CVE-2026-40490 | Med | 0.37 | 6.8 | 0.00 | Apr 18, 2026 | The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and… | ||
| CVE-2026-33220 | Med | 0.37 | 6.8 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can… | ||
| CVE-2025-26711 | Med | 0.37 | 5.7 | 0.00 | Sep 16, 2025 | There is an unauthorized access vulnerability in ZTE T5400. Due to improper permission control of the Web module interface, an unauthorized attacker can obtain sensitive information through the interface. | ||
| CVE-2025-26709 | Med | 0.37 | 5.7 | 0.00 | Aug 15, 2025 | There is an unauthorized access vulnerability in ZTE F50. Due to improper permission control of the Web module interface, an unauthorized attacker can obtain sensitive information through the interface | ||
| CVE-2025-34062 | Med | 0.37 | — | 0.00 | Jul 1, 2025 | An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can… | ||
| CVE-2025-49593 | Med | 0.37 | 6.8 | 0.00 | Jun 17, 2025 | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to… | ||
| CVE-2025-25209 | Med | 0.37 | 5.7 | 0.00 | Jun 9, 2025 | The AuthPolicy metadata on Red Hat Connectivity Link contains an object which stores secretes, however it assumes those secretes are already in the kuadrant-system instead of copying it to the referred namespace. This creates space for a malicious actor with a developer persona… | ||
| CVE-2025-20624 | Med | 0.37 | 5.7 | 0.00 | May 13, 2025 | Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via adjacent access. | ||
| CVE-2025-24270 | Med | 0.37 | 5.7 | 0.00 | Apr 29, 2025 | This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. An attacker on the local network may be able to leak sensitive user… | ||
| CVE-2025-23216 | Med | 0.37 | 6.8 | 0.00 | Jan 30, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes… | ||
| CVE-2023-29114 | Med | 0.37 | 5.7 | 0.00 | Nov 5, 2024 | System logs could be accessed through web management application due to a lack of access control. An attacker can obtain the following sensitive information: • Wi-Fi access point credentials to which the EV charger can connect. • APN web… | ||
| CVE-2024-37895 | Med | 0.37 | 5.7 | 0.01 | Jun 17, 2024 | Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side… | ||
| CVE-2024-31464 | Med | 0.37 | 6.8 | 0.00 | Apr 10, 2024 | XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.19, 15.5.4, and 15.9-rc-1, it is possible to access the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. Using that… | ||
| CVE-2024-3274 | Med | 0.37 | 5.3 | 0.33 | Apr 4, 2024 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in D-Link DNS-320L, DNS-320LW and DNS-327L up to 20240403 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/info.cgi of the component HTTP GET Request… | ||
| CVE-2022-45354 | Med | 0.37 | 5.3 | 0.38 | Jan 8, 2024 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.7.60. | ||
| CVE-2023-48700 | — | Med | 0.37 | 5.7 | 0.00 | Nov 21, 2023 | The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to… | |
| CVE-2023-37263 | Med | 0.37 | 6.8 | 0.01 | Sep 15, 2023 | Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will… |
- risk 0.37cvss 5.7epss 0.00
An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects…
- risk 0.37cvss 5.7epss 0.00
An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the…
- risk 0.37cvss 5.7epss 0.00
There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure.
- risk 0.37cvss 6.8epss 0.00
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and…
- risk 0.37cvss 6.8epss 0.00
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can…
- risk 0.37cvss 5.7epss 0.00
There is an unauthorized access vulnerability in ZTE T5400. Due to improper permission control of the Web module interface, an unauthorized attacker can obtain sensitive information through the interface.
- risk 0.37cvss 5.7epss 0.00
There is an unauthorized access vulnerability in ZTE F50. Due to improper permission control of the Web module interface, an unauthorized attacker can obtain sensitive information through the interface
- risk 0.37cvss —epss 0.00
An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token—which may be retrievable from host registry keys or improperly secured logs—can…
- risk 0.37cvss 6.8epss 0.00
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to…
- risk 0.37cvss 5.7epss 0.00
The AuthPolicy metadata on Red Hat Connectivity Link contains an object which stores secretes, however it assumes those secretes are already in the kuadrant-system instead of copying it to the referred namespace. This creates space for a malicious actor with a developer persona…
- risk 0.37cvss 5.7epss 0.00
Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software for Intel(R) Tiber™ Edge Platform may allow an authenticated user to potentially enable information disclosure via adjacent access.
- risk 0.37cvss 5.7epss 0.00
This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. An attacker on the local network may be able to leak sensitive user…
- risk 0.37cvss 6.8epss 0.00
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes…
- risk 0.37cvss 5.7epss 0.00
System logs could be accessed through web management application due to a lack of access control. An attacker can obtain the following sensitive information: • Wi-Fi access point credentials to which the EV charger can connect. • APN web…
- risk 0.37cvss 5.7epss 0.01
Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side…
- risk 0.37cvss 6.8epss 0.00
XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.19, 15.5.4, and 15.9-rc-1, it is possible to access the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. Using that…
- risk 0.37cvss 5.3epss 0.33
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in D-Link DNS-320L, DNS-320LW and DNS-327L up to 20240403 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/info.cgi of the component HTTP GET Request…
- risk 0.37cvss 5.3epss 0.38
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.7.60.
- risk 0.37cvss 5.7epss 0.00
The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to…
- risk 0.37cvss 6.8epss 0.01
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will…