CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Description
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79
CVEs mapped to this weakness (6,463)
page 135 of 324| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-0885 | Med | 0.28 | 4.3 | 0.00 | Apr 5, 2017 | Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message disclosing existence of file in write-only share. Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing… | ||
| CVE-2017-0881 | Med | 0.28 | 4.3 | 0.00 | Mar 28, 2017 | An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to… | ||
| CVE-2017-1155 | Med | 0.28 | 4.3 | 0.01 | Mar 20, 2017 | IBM Algorithmics One-Algo Risk Application 4.9.1, 5.0, and 5.1.0 could allow a user to gain access to another user's reports using a specially crafted HTTP request. IBM Reference #: 1999754. | ||
| CVE-2017-3871 | Med | 0.28 | 4.3 | 0.00 | Mar 17, 2017 | A RADIUS Secret Disclosure vulnerability in the web network management interface of Cisco Prime Optical for Service Providers could allow an authenticated, remote attacker to disclose sensitive information in the configuration generated for a device. The attacker must have valid… | ||
| CVE-2017-5866 | Med | 0.28 | 4.3 | 0.00 | Mar 3, 2017 | The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors. | ||
| CVE-2017-3836 | Med | 0.28 | 4.3 | 0.00 | Feb 22, 2017 | A vulnerability in the web framework Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data. More Information: CSCvb61689. Known Affected Releases: 11.5(1.11007.2). Known Fixed Releases: 12.0(0.98000.162) 12.0(0.98000.178)… | ||
| CVE-2016-7759 | Med | 0.28 | 4.3 | 0.00 | Feb 20, 2017 | An issue was discovered in certain Apple products. iOS before 10 is affected. The issue involves the "Springboard" component, which allows physically proximate attackers to obtain sensitive information by viewing application snapshots in the Task Switcher. | ||
| CVE-2016-7592 | Med | 0.28 | 4.3 | 0.00 | Feb 20, 2017 | An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component, which allows remote attackers to obtain sensitive… | ||
| CVE-2016-6190 | Med | 0.28 | 4.3 | 0.00 | Feb 17, 2017 | SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and… | ||
| CVE-2017-5017 | Med | 0.28 | 4.3 | 0.01 | Feb 17, 2017 | Interactions with the OS in Google Chrome prior to 56.0.2924.76 for Mac insufficiently cleared video memory, which allowed a remote attacker to possibly extract image fragments on systems with GeForce 8600M graphics chips via a crafted HTML page. | ||
| CVE-2016-6060 | Med | 0.28 | 4.3 | 0.00 | Feb 15, 2017 | An undisclosed vulnerability in IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 could allow a JazzGuest user to see project names. IBM Reference #: 1995547. | ||
| CVE-2016-0307 | Med | 0.28 | 4.3 | 0.00 | Feb 8, 2017 | IBM Connections 5.5 and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned responses. | ||
| CVE-2016-9748 | Med | 0.28 | 4.3 | 0.00 | Feb 8, 2017 | IBM Rational DOORS Next Generation 5.0 and 6.0 discloses sensitive information in error response messages that could be used for further attacks against the system. | ||
| CVE-2016-2866 | Med | 0.28 | 4.3 | 0.00 | Feb 8, 2017 | An unspecified vulnerability in IBM Jazz Team Server may disclose some deployment information to an authenticated user. | ||
| CVE-2016-6094 | Med | 0.28 | 4.3 | 0.00 | Feb 7, 2017 | IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 generates an error message that includes sensitive information about its environment, users, or associated data. | ||
| CVE-2016-6122 | Med | 0.28 | 4.3 | 0.00 | Feb 1, 2017 | IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 discloses answers to security questions in a response to authenticated users. | ||
| CVE-2016-2987 | Med | 0.28 | 4.3 | 0.00 | Feb 1, 2017 | An undisclosed vulnerability in CLM applications may result in some administrative deployment parameters being shown to an attacker. | ||
| CVE-2017-5610 | Med | 0.28 | 5.3 | 0.01 | Jan 30, 2017 | wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. | ||
| CVE-2017-3315 | Med | 0.28 | 4.3 | 0.00 | Jan 27, 2017 | Vulnerability in the PeopleSoft Enterprise HCM ePerformance component of Oracle PeopleSoft Products (subcomponent: Security). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise… | ||
| CVE-2017-3296 | Med | 0.28 | 4.3 | 0.01 | Jan 27, 2017 | Vulnerability in the Oracle Commerce Platform component of Oracle Commerce (subcomponent: Dynamo Application Framework). Supported versions that are affected are 10.0.3.5, 10.2.0.5 and 11.2.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access… |
- risk 0.28cvss 4.3epss 0.00
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message disclosing existence of file in write-only share. Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing…
- risk 0.28cvss 4.3epss 0.00
An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to…
- risk 0.28cvss 4.3epss 0.01
IBM Algorithmics One-Algo Risk Application 4.9.1, 5.0, and 5.1.0 could allow a user to gain access to another user's reports using a specially crafted HTTP request. IBM Reference #: 1999754.
- risk 0.28cvss 4.3epss 0.00
A RADIUS Secret Disclosure vulnerability in the web network management interface of Cisco Prime Optical for Service Providers could allow an authenticated, remote attacker to disclose sensitive information in the configuration generated for a device. The attacker must have valid…
- risk 0.28cvss 4.3epss 0.00
The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors.
- risk 0.28cvss 4.3epss 0.00
A vulnerability in the web framework Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data. More Information: CSCvb61689. Known Affected Releases: 11.5(1.11007.2). Known Fixed Releases: 12.0(0.98000.162) 12.0(0.98000.178)…
- risk 0.28cvss 4.3epss 0.00
An issue was discovered in certain Apple products. iOS before 10 is affected. The issue involves the "Springboard" component, which allows physically proximate attackers to obtain sensitive information by viewing application snapshots in the Task Switcher.
- risk 0.28cvss 4.3epss 0.00
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component, which allows remote attackers to obtain sensitive…
- risk 0.28cvss 4.3epss 0.00
SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and…
- risk 0.28cvss 4.3epss 0.01
Interactions with the OS in Google Chrome prior to 56.0.2924.76 for Mac insufficiently cleared video memory, which allowed a remote attacker to possibly extract image fragments on systems with GeForce 8600M graphics chips via a crafted HTML page.
- risk 0.28cvss 4.3epss 0.00
An undisclosed vulnerability in IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 could allow a JazzGuest user to see project names. IBM Reference #: 1995547.
- risk 0.28cvss 4.3epss 0.00
IBM Connections 5.5 and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned responses.
- risk 0.28cvss 4.3epss 0.00
IBM Rational DOORS Next Generation 5.0 and 6.0 discloses sensitive information in error response messages that could be used for further attacks against the system.
- risk 0.28cvss 4.3epss 0.00
An unspecified vulnerability in IBM Jazz Team Server may disclose some deployment information to an authenticated user.
- risk 0.28cvss 4.3epss 0.00
IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 generates an error message that includes sensitive information about its environment, users, or associated data.
- risk 0.28cvss 4.3epss 0.00
IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 discloses answers to security questions in a response to authenticated users.
- risk 0.28cvss 4.3epss 0.00
An undisclosed vulnerability in CLM applications may result in some administrative deployment parameters being shown to an attacker.
- risk 0.28cvss 5.3epss 0.01
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms.
- risk 0.28cvss 4.3epss 0.00
Vulnerability in the PeopleSoft Enterprise HCM ePerformance component of Oracle PeopleSoft Products (subcomponent: Security). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise…
- risk 0.28cvss 4.3epss 0.01
Vulnerability in the Oracle Commerce Platform component of Oracle Commerce (subcomponent: Dynamo Application Framework). Supported versions that are affected are 10.0.3.5, 10.2.0.5 and 11.2.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access…