CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Parents

CWE-668

Children

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (6,463)

page 136 of 324

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2017-3231	Sun Corporation Java Se	Med	0.28	4.3	0.01	Jan 27, 2017	Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network…
CVE-2016-8322	Oracle Corporation Flexcube Core Banking	Med	0.28	4.3	0.00	Jan 27, 2017	Vulnerability in the Oracle FLEXCUBE Core Banking component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 5.1.0, 5.2.0 and 11.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via…
CVE-2016-8302	Oracle Corporation Flexcube Universal Banking	Med	0.28	4.3	0.00	Jan 27, 2017	Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 and 12.2.0. Easily exploitable vulnerability allows low…
CVE-2016-5614	Oracle Corporation Flexcube Private Banking	Med	0.28	4.3	0.00	Jan 27, 2017	Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Product / Instrument Search). Supported versions that are affected are 2.0.1, 2.2.0 and 12.0.1. Easily exploitable vulnerability allows low privileged attacker…
CVE-2016-5014	Moodle Moodle	Med	0.28	5.4	0.00	Jan 20, 2017	In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.
CVE-2016-6859	SAP Hybris	Med	0.28	4.3	0.00	Dec 31, 2016	Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.
CVE-2016-6852	Open-Xchange Appsuite	Med	0.28	4.3	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on…
CVE-2016-4047	Open-Xchange Appsuite	Med	0.28	4.3	0.00	Dec 15, 2016	An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As…
CVE-2016-6625	PhpMyAdmin phpMyAdmin	Med	0.28	4.3	0.00	Dec 11, 2016	An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x…
CVE-2016-6610	PhpMyAdmin phpMyAdmin	Med	0.28	4.3	0.00	Dec 11, 2016	A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions…
CVE-2016-2958	IBM Connections	Med	0.28	4.3	0.00	Nov 30, 2016	IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to obtain sensitive information by reading an "archaic" e-mail address in a response.
CVE-2016-2957	IBM Connections	Med	0.28	4.3	0.00	Nov 30, 2016	IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to obtain sensitive information by reading a stack trace in a response.
CVE-2016-9449	Drupal Drupal	Med	0.28	4.3	0.00	Nov 25, 2016	The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.
CVE-2016-9185	OpenStack Heat	Med	0.28	4.3	0.01	Nov 4, 2016	In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are <=5.0.3, >=6.0.0 <=6.1.0, and ==7.0.0.
CVE-2016-8295	Oracle Corporation Peoplesoft Enterprise	Med	0.28	4.3	0.00	Oct 25, 2016	Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality via unknown vectors.
CVE-2016-8294	Oracle Corporation Peoplesoft Enterprise Peopletools	Med	0.28	4.3	0.00	Oct 25, 2016	Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 and 8.55 allows remote authenticated users to affect confidentiality via unknown vectors.
CVE-2016-5621	Oracle Corporation Flexcube Universal Banking	Med	0.28	4.3	0.00	Oct 25, 2016	Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, 12.0.1 and 12.0.3, 12.1.0, and 12.2.0 allows remote authenticated users to affect confidentiality via vectors related to INFRA, a different…
CVE-2016-5611	Oracle Corporation VM Virtualbox	Med	0.28	4.3	0.00	Oct 25, 2016	Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect confidentiality via vectors related to Core.
CVE-2016-5603	Oracle Corporation Flexcube Universal Banking	Med	0.28	4.3	0.00	Oct 25, 2016	Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, 12.0.1 through 12.0.3, 12.1.0, and 12.2.0 allows remote authenticated users to affect confidentiality via vectors related to INFRA, a different…
CVE-2016-5596	Oracle Corporation CRM Technical Foundation	Med	0.28	4.3	0.00	Oct 25, 2016	Unspecified vulnerability in the Oracle CRM Technical Foundation component in Oracle E-Business Suite 12.1.1 through 12.1.3 and 12.2.3 through 12.2.6 allows remote authenticated users to affect confidentiality via unknown vectors.

CVE-2017-3231MedJan 27, 2017
Sun Corporation
Java Se
risk 0.28cvss 4.3epss 0.01
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network…
CVE-2016-8322MedJan 27, 2017
Oracle Corporation
Flexcube Core Banking
risk 0.28cvss 4.3epss 0.00
Vulnerability in the Oracle FLEXCUBE Core Banking component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 5.1.0, 5.2.0 and 11.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via…
CVE-2016-8302MedJan 27, 2017
Oracle Corporation
Flexcube Universal Banking
risk 0.28cvss 4.3epss 0.00
Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 and 12.2.0. Easily exploitable vulnerability allows low…
CVE-2016-5614MedJan 27, 2017
Oracle Corporation
Flexcube Private Banking
risk 0.28cvss 4.3epss 0.00
Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Product / Instrument Search). Supported versions that are affected are 2.0.1, 2.2.0 and 12.0.1. Easily exploitable vulnerability allows low privileged attacker…
CVE-2016-5014MedJan 20, 2017
Moodle
Moodle
risk 0.28cvss 5.4epss 0.00
In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.
CVE-2016-6859MedDec 31, 2016
SAP
Hybris
risk 0.28cvss 4.3epss 0.00
Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.
CVE-2016-6852MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.28cvss 4.3epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file exists or not. Attackers may discover specific system files or library versions on…
CVE-2016-4047MedDec 15, 2016
Open-Xchange
Appsuite
risk 0.28cvss 4.3epss 0.00
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those resources were requested when parsing certain parts of the generated document. As…
CVE-2016-6625MedDec 11, 2016
PhpMyAdmin
phpMyAdmin
risk 0.28cvss 4.3epss 0.00
An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x…
CVE-2016-6610MedDec 11, 2016
PhpMyAdmin
phpMyAdmin
risk 0.28cvss 4.3epss 0.00
A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions…
CVE-2016-2958MedNov 30, 2016
IBM
Connections
risk 0.28cvss 4.3epss 0.00
IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to obtain sensitive information by reading an "archaic" e-mail address in a response.
CVE-2016-2957MedNov 30, 2016
IBM
Connections
risk 0.28cvss 4.3epss 0.00
IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to obtain sensitive information by reading a stack trace in a response.
CVE-2016-9449MedNov 25, 2016
Drupal
Drupal
risk 0.28cvss 4.3epss 0.00
The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.
CVE-2016-9185MedNov 4, 2016
OpenStack
Heat
risk 0.28cvss 4.3epss 0.01
In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are <=5.0.3, >=6.0.0 <=6.1.0, and ==7.0.0.
CVE-2016-8295MedOct 25, 2016
Oracle Corporation
Peoplesoft Enterprise
risk 0.28cvss 4.3epss 0.00
Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality via unknown vectors.
CVE-2016-8294MedOct 25, 2016
Oracle Corporation
Peoplesoft Enterprise Peopletools
risk 0.28cvss 4.3epss 0.00
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 and 8.55 allows remote authenticated users to affect confidentiality via unknown vectors.
CVE-2016-5621MedOct 25, 2016
Oracle Corporation
Flexcube Universal Banking
risk 0.28cvss 4.3epss 0.00
Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, 12.0.1 and 12.0.3, 12.1.0, and 12.2.0 allows remote authenticated users to affect confidentiality via vectors related to INFRA, a different…
CVE-2016-5611MedOct 25, 2016
Oracle Corporation
VM Virtualbox
risk 0.28cvss 4.3epss 0.00
Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect confidentiality via vectors related to Core.
CVE-2016-5603MedOct 25, 2016
Oracle Corporation
Flexcube Universal Banking
risk 0.28cvss 4.3epss 0.00
Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, 12.0.1 through 12.0.3, 12.1.0, and 12.2.0 allows remote authenticated users to affect confidentiality via vectors related to INFRA, a different…
CVE-2016-5596MedOct 25, 2016
Oracle Corporation
CRM Technical Foundation
risk 0.28cvss 4.3epss 0.00
Unspecified vulnerability in the Oracle CRM Technical Foundation component in Oracle E-Business Suite 12.1.1 through 12.1.3 and 12.2.3 through 12.2.6 allows remote authenticated users to affect confidentiality via unknown vectors.