CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Parents

CWE-668

Children

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (6,463)

page 147 of 324

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-52630	HCLTech Aion	Low	0.24	3.7	0.00	Oct 10, 2025	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.
CVE-2025-10281	Blacklanternsecurity Bbot	Med	0.24	4.7	0.00	Oct 9, 2025	BBOT's git_clone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL.
CVE-2025-11443	Jhumanj Opnform	Low	0.24	3.7	0.00	Oct 8, 2025	A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack…
CVE-2025-9005	Mtons Mblog	Low	0.24	3.7	0.00	Aug 15, 2025	A vulnerability was determined in mtons mblog up to 3.5.0. Affected is an unknown function of the file /register. The manipulation leads to information exposure through error message. It is possible to launch the attack remotely. The complexity of an attack is rather high. The…
CVE-2025-8548	atjiu pybbs	Low	0.24	3.7	0.00	Aug 5, 2025	A vulnerability was found in atjiu pybbs up to 6.0.0 and classified as problematic. This issue affects the function sendEmailCode of the file src/main/java/co/yiiu/pybbs/controller/api/SettingsApiController.java of the component Registered Email Handler. The manipulation of the…
CVE-2024-55951	Metabase Metabase	Med	0.24	—	0.00	Dec 16, 2024	Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to…
CVE-2024-45811	Vitejs Vite	Med	0.24	4.8	0.00	Sep 17, 2024	Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the…
CVE-2024-39314	KisaragiEffective toy-blog	Med	0.24	4.7	0.00	Jul 1, 2024	toy-blog is a headless content management system implementation. Starting in version 0.4.3 and prior to version 0.5.0, the administrative password was leaked through the command line parameter. The problem was patched in version 0.5.0. As a workaround, pass…
CVE-2023-52147	Tipsandtricks Hq All In One Wp Security \& Firewall	Low	0.24	3.7	0.00	Jun 4, 2024	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in All In One WP Security & Firewall Team All In One WP Security & Firewall allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects All In One WP Security & Firewall: from n/a…
CVE-2023-49822	Davidvongries Ultimate Dashboard	Low	0.24	3.7	0.01	Jun 4, 2024	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in David Vongries Ultimate Dashboard allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Ultimate Dashboard: from n/a through 3.7.10.
CVE-2023-49748	Wpserveur Wps Hide Login	Low	0.24	3.7	0.01	Jun 4, 2024	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPServeur, NicolasKulka, wpformation WPS Hide Login allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPS Hide Login: from n/a through 1.9.11.
CVE-2023-48335	WordPress Hide Login Page	Low	0.24	3.7	0.01	Jun 4, 2024	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hide login page: from n/a through 1.1.9.
CVE-2023-47818	Lws Lws Hide Login	Low	0.24	3.7	0.01	Jun 4, 2024	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in LWS LWS Hide Login allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LWS Hide Login: from n/a through 2.1.8.
CVE-2022-40696	Advancedcustomfields Advanced Custom Fields	Low	0.24	3.7	0.01	Jan 8, 2024	Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WP Engine Advanced Custom Fields (ACF).This issue affects Advanced Custom Fields (ACF): from 3.1.1 through 6.0.2.
CVE-2020-8284	Curl Curl	Low	0.24	3.7	0.00	Dec 14, 2020	A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port…
CVE-2017-15321	Huawei Fusionsphere Openstack	Low	0.24	3.7	0.00	Dec 22, 2017	Huawei FusionSphere OpenStack V100R006C000SPC102 (NFV) has an information leak vulnerability due to the use of a low version transmission protocol by default. An attacker could intercept packets transferred by a target device. Successful exploit could cause an information leak.
CVE-2017-16355	—	Med	0.24	4.7	0.00	Dec 14, 2017	In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from…
CVE-2017-1497	IBM Sterling File Gateway	Low	0.24	3.7	0.00	Dec 7, 2017	IBM Sterling File Gateway 2.2 could allow an unauthorized user to view files they should not have access to providing they know the directory location of the file. IBM X-Force ID: 128695.
CVE-2017-1355	IBM Atlas Ediscovery Process Management	Low	0.24	3.7	0.00	Dec 7, 2017	IBM Atlas eDiscovery Process Management 6.0.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 126682.
CVE-2017-1228	IBM Bigfix Platform	Low	0.24	3.7	0.00	Oct 26, 2017	IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable the secure cookie attribute. An attacker could exploit this vulnerability to obtain sensitive information using…

CVE-2025-52630LowOct 10, 2025
HCLTech
Aion
risk 0.24cvss 3.7epss 0.00
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.
CVE-2025-10281MedOct 9, 2025
Blacklanternsecurity
Bbot
risk 0.24cvss 4.7epss 0.00
BBOT's git_clone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL.
CVE-2025-11443LowOct 8, 2025
Jhumanj
Opnform
risk 0.24cvss 3.7epss 0.00
A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack…
CVE-2025-9005LowAug 15, 2025
Mtons
Mblog
risk 0.24cvss 3.7epss 0.00
A vulnerability was determined in mtons mblog up to 3.5.0. Affected is an unknown function of the file /register. The manipulation leads to information exposure through error message. It is possible to launch the attack remotely. The complexity of an attack is rather high. The…
CVE-2025-8548LowAug 5, 2025
atjiu
pybbs
risk 0.24cvss 3.7epss 0.00
A vulnerability was found in atjiu pybbs up to 6.0.0 and classified as problematic. This issue affects the function sendEmailCode of the file src/main/java/co/yiiu/pybbs/controller/api/SettingsApiController.java of the component Registered Email Handler. The manipulation of the…
CVE-2024-55951MedDec 16, 2024
Metabase
Metabase
risk 0.24cvss —epss 0.00
Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to…
CVE-2024-45811MedSep 17, 2024
Vitejs
Vite
risk 0.24cvss 4.8epss 0.00
Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the…
CVE-2024-39314MedJul 1, 2024
KisaragiEffective
toy-blog
risk 0.24cvss 4.7epss 0.00
toy-blog is a headless content management system implementation. Starting in version 0.4.3 and prior to version 0.5.0, the administrative password was leaked through the command line parameter. The problem was patched in version 0.5.0. As a workaround, pass…
CVE-2023-52147LowJun 4, 2024
Tipsandtricks Hq
All In One Wp Security \& Firewall
risk 0.24cvss 3.7epss 0.00
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in All In One WP Security & Firewall Team All In One WP Security & Firewall allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects All In One WP Security & Firewall: from n/a…
CVE-2023-49822LowJun 4, 2024
Davidvongries
Ultimate Dashboard
risk 0.24cvss 3.7epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in David Vongries Ultimate Dashboard allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Ultimate Dashboard: from n/a through 3.7.10.
CVE-2023-49748LowJun 4, 2024
Wpserveur
Wps Hide Login
risk 0.24cvss 3.7epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPServeur, NicolasKulka, wpformation WPS Hide Login allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPS Hide Login: from n/a through 1.9.11.
CVE-2023-48335LowJun 4, 2024
WordPress
Hide Login Page
risk 0.24cvss 3.7epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hide login page: from n/a through 1.1.9.
CVE-2023-47818LowJun 4, 2024
Lws
Lws Hide Login
risk 0.24cvss 3.7epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in LWS LWS Hide Login allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LWS Hide Login: from n/a through 2.1.8.
CVE-2022-40696LowJan 8, 2024
Advancedcustomfields
Advanced Custom Fields
risk 0.24cvss 3.7epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WP Engine Advanced Custom Fields (ACF).This issue affects Advanced Custom Fields (ACF): from 3.1.1 through 6.0.2.
CVE-2020-8284LowDec 14, 2020
Curl
Curl
risk 0.24cvss 3.7epss 0.00
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port…
CVE-2017-15321LowDec 22, 2017
Huawei
Fusionsphere Openstack
risk 0.24cvss 3.7epss 0.00
Huawei FusionSphere OpenStack V100R006C000SPC102 (NFV) has an information leak vulnerability due to the use of a low version transmission protocol by default. An attacker could intercept packets transferred by a target device. Successful exploit could cause an information leak.
CVE-2017-16355MedDec 14, 2017
risk 0.24cvss 4.7epss 0.00
In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from…
CVE-2017-1497LowDec 7, 2017
IBM
Sterling File Gateway
risk 0.24cvss 3.7epss 0.00
IBM Sterling File Gateway 2.2 could allow an unauthorized user to view files they should not have access to providing they know the directory location of the file. IBM X-Force ID: 128695.
CVE-2017-1355LowDec 7, 2017
IBM
Atlas Ediscovery Process Management
risk 0.24cvss 3.7epss 0.00
IBM Atlas eDiscovery Process Management 6.0.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 126682.
CVE-2017-1228LowOct 26, 2017
IBM
Bigfix Platform
risk 0.24cvss 3.7epss 0.00
IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable the secure cookie attribute. An attacker could exploit this vulnerability to obtain sensitive information using…