VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 106 of 366
  • CVE-2016-3037MedApr 17, 2017
    risk 0.37cvss 5.7epss 0.01

    IBM Cognos TM1 10.1 and 10.2 provides a service to return the victim's password with a valid session key. An authenticated attacker with user interaction could obtain this sensitive information. IBM X-Force ID: 114613.

  • CVE-2017-3292MedJan 27, 2017
    risk 0.37cvss 5.7epss 0.02

    Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP…

  • CVE-2016-5602MedOct 25, 2016
    risk 0.37cvss 5.7epss 0.02

    Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0, and 12.2.1.1.0 allows remote authenticated users to affect confidentiality via vectors related to Code Generation Engine.

  • CVE-2016-3277MedJul 13, 2016
    risk 0.37cvss 5.3epss 0.32

    Microsoft Internet Explorer 10 and 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability."

  • CVE-2016-0723MedFeb 8, 2016
    risk 0.37cvss 6.8epss 0.00

    Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during…

  • CVE-2016-1898MedJan 15, 2016
    risk 0.37cvss 5.5epss 0.13

    FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file.

  • CVE-2016-1897MedJan 15, 2016
    risk 0.37cvss 5.5epss 0.15

    FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.

  • CVE-2026-49219MedJun 10, 2026
    risk 0.36cvss 5.5epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue…

  • CVE-2026-45594MedJun 9, 2026
    risk 0.36cvss 5.5epss 0.00

    Exposure of sensitive information to an unauthorized actor in Windows Application Identity (AppID) Subsystem allows an authorized attacker to disclose information locally.

  • CVE-2026-42973MedJun 9, 2026
    risk 0.36cvss 5.5epss 0.00

    Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.

  • CVE-2026-42972MedJun 9, 2026
    risk 0.36cvss 5.5epss 0.00

    Exposure of sensitive information to an unauthorized actor in Windows Hyper-V allows an authorized attacker to disclose information locally.

  • CVE-2026-42971MedJun 9, 2026
    risk 0.36cvss 5.5epss 0.00

    Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.

  • CVE-2026-42970MedJun 9, 2026
    risk 0.36cvss 5.5epss 0.00

    Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally.

  • CVE-2026-42906MedJun 9, 2026
    risk 0.36cvss 5.5epss 0.00

    Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally.

  • CVE-2026-41980MedJun 9, 2026
    risk 0.36cvss 5.5epss 0.00

    Permission control vulnerability in the file preview module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

  • CVE-2026-24198MedMay 26, 2026
    risk 0.36cvss 5.6epss 0.00

    NVIDIA GPU Display Driver for Linux contains a vulnerability where an advanced attacker could use a race condition to leak sensitive memory, which might cause limited exposure of sensitive information to an unauthorized actor. A successful exploit of this vulnerability might…

  • CVE-2026-44479MedMay 13, 2026
    risk 0.36cvss 5.5epss 0.00

    Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested…

  • CVE-2026-28958MedMay 11, 2026
    risk 0.36cvss 5.5epss 0.00

    This issue was addressed with improved data protection. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access sensitive user data.

  • CVE-2026-43942MedMay 8, 2026
    risk 0.36cvss 5.5epss 0.00

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as…

  • CVE-2025-14726MedMay 2, 2026
    risk 0.36cvss 6.5epss 0.01

    The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API…