CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Parents

CWE-668

Children

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (6,405)

page 155 of 321

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2015-8791	Matroska Org Libebml	Med	0.21	4.3	0.00	Jan 29, 2016	The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted length value in an EBML id, which triggers an invalid memory access.
CVE-2015-8790	Matroska Org Libebml	Med	0.21	4.3	0.01	Jan 29, 2016	The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted UTF-8 string, which triggers an invalid memory access.
CVE-2015-4958	IBM Infosphere Master Data Management	Low	0.21	3.3	0.00	Jan 17, 2016	IBM InfoSphere Master Data Management - Collaborative Edition 9.1, 10.1, 11.0 before 11.0.0.0 IF11, 11.3 before 11.3.0.0 IF7, and 11.4 before 11.4.0.4 IF1 does not properly restrict browser caching, which allows local users to obtain sensitive information by reading cache files.
CVE-2015-6644	Google Android	Low	0.21	3.3	0.00	Jan 6, 2016	Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.
CVE-2014-4407	Apple Inc. iOS	Low	0.21	3.3	0.00	Sep 18, 2014	IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which allows attackers to obtain sensitive memory-content information via an application that makes crafted IOKit function calls.
CVE-2026-9991	Google Chrome	Low	0.20	3.1	0.00	May 28, 2026	Inappropriate implementation in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CVE-2026-10011	Google Chrome	Low	0.20	3.1	0.00	May 28, 2026	Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CVE-2026-1197	Mineadmin Mineadmin	Low	0.20	3.1	0.00	Jan 20, 2026	A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. The attack can be initiated remotely. The attack's…
CVE-2026-1196	Mineadmin Mineadmin	Low	0.20	3.1	0.00	Jan 20, 2026	A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high…
CVE-2025-15141	Halo Dev Halo	Low	0.20	3.1	0.00	Dec 28, 2025	A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. This attack is…
CVE-2025-11647	Tomofun Furbo 360	Low	0.20	3.1	0.00	Oct 12, 2025	A flaw has been found in Tomofun Furbo 360 and Furbo Mini. This issue affects some unknown processing of the component GATT Service. This manipulation of the argument DeviceToken causes information disclosure. The attack is only possible within the local network. A high degree…
CVE-2025-8515	Intelbras Incontrol Web	Low	0.20	3.1	0.00	Aug 4, 2025	A weakness has been identified in Intelbras InControl 2.21.60.9. This vulnerability affects unknown code of the file /v1/operador/ of the component JSON Endpoint. Executing manipulation can lead to information disclosure. It is possible to launch the attack remotely. A high…
CVE-2025-24363	—	Med	0.20	4.2	0.00	Jan 24, 2025	The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.8.9, in CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that…
CVE-2024-32754	—	Low	0.20	3.1	0.00	Jul 4, 2024	Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Once configured, the controller will no longer broadcast this information.
CVE-2017-1000114	Jenkins Project Datadog	Low	0.20	3.1	0.00	Oct 5, 2017	The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example…
CVE-2017-5190	Microfocus Access Manager	Low	0.20	3.1	0.00	Apr 20, 2017	NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when configured as a SAML 2.0 Identity Server with Virtual Attributes, has a concurrency issue causing information leakage, related to a stale profile.
CVE-2015-4078	Cloudera Navigator	Low	0.20	3.1	0.00	Mar 23, 2017	Cloudera Navigator 2.2.x before 2.2.4 and 2.3.x before 2.3.3 include support for SSLv3 when configured to use SSL/TLS, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
CVE-2016-9697	RealNetworks Rhapsody	Low	0.20	3.1	0.00	Mar 20, 2017	An unspecified vulnerability in IBM Rhapsody DM 4.0, 5.0, and 6.0 could allow an attacker to perform a JSON Hijacking Attack. A JSON Hijacking Attack may expose to an attacker information passed between the server and the browser. IBM Reference #: 1999960.
CVE-2017-3319	Oracle Corporation MySQL	Low	0.20	3.1	0.01	Jan 27, 2017	Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: X Plugin). Supported versions that are affected are 5.7.16 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise…
CVE-2016-2380	Pidgin (software) Pidgin	Low	0.20	3.1	0.01	Jan 6, 2017	An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and…

CVE-2015-8791MedJan 29, 2016
Matroska Org
Libebml
risk 0.21cvss 4.3epss 0.00
The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted length value in an EBML id, which triggers an invalid memory access.
CVE-2015-8790MedJan 29, 2016
Matroska Org
Libebml
risk 0.21cvss 4.3epss 0.01
The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted UTF-8 string, which triggers an invalid memory access.
CVE-2015-4958LowJan 17, 2016
IBM
Infosphere Master Data Management
risk 0.21cvss 3.3epss 0.00
IBM InfoSphere Master Data Management - Collaborative Edition 9.1, 10.1, 11.0 before 11.0.0.0 IF11, 11.3 before 11.3.0.0 IF7, and 11.4 before 11.4.0.4 IF1 does not properly restrict browser caching, which allows local users to obtain sensitive information by reading cache files.
CVE-2015-6644LowJan 6, 2016
Google
Android
risk 0.21cvss 3.3epss 0.00
Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.
CVE-2014-4407LowSep 18, 2014
Apple Inc.
iOS
risk 0.21cvss 3.3epss 0.00
IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which allows attackers to obtain sensitive memory-content information via an application that makes crafted IOKit function calls.
CVE-2026-9991LowMay 28, 2026
Google
Chrome
risk 0.20cvss 3.1epss 0.00
Inappropriate implementation in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CVE-2026-10011LowMay 28, 2026
Google
Chrome
risk 0.20cvss 3.1epss 0.00
Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CVE-2026-1197LowJan 20, 2026
Mineadmin
Mineadmin
risk 0.20cvss 3.1epss 0.00
A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. The attack can be initiated remotely. The attack's…
CVE-2026-1196LowJan 20, 2026
Mineadmin
Mineadmin
risk 0.20cvss 3.1epss 0.00
A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high…
CVE-2025-15141LowDec 28, 2025
Halo Dev
Halo
risk 0.20cvss 3.1epss 0.00
A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. This attack is…
CVE-2025-11647LowOct 12, 2025
Tomofun
Furbo 360
risk 0.20cvss 3.1epss 0.00
A flaw has been found in Tomofun Furbo 360 and Furbo Mini. This issue affects some unknown processing of the component GATT Service. This manipulation of the argument DeviceToken causes information disclosure. The attack is only possible within the local network. A high degree…
CVE-2025-8515LowAug 4, 2025
Intelbras
Incontrol Web
risk 0.20cvss 3.1epss 0.00
A weakness has been identified in Intelbras InControl 2.21.60.9. This vulnerability affects unknown code of the file /v1/operador/ of the component JSON Endpoint. Executing manipulation can lead to information disclosure. It is possible to launch the attack remotely. A high…
CVE-2025-24363MedJan 24, 2025
risk 0.20cvss 4.2epss 0.00
The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.8.9, in CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that…
CVE-2024-32754LowJul 4, 2024
risk 0.20cvss 3.1epss 0.00
Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Once configured, the controller will no longer broadcast this information.
CVE-2017-1000114LowOct 5, 2017
Jenkins Project
Datadog
risk 0.20cvss 3.1epss 0.00
The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example…
CVE-2017-5190LowApr 20, 2017
Microfocus
Access Manager
risk 0.20cvss 3.1epss 0.00
NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when configured as a SAML 2.0 Identity Server with Virtual Attributes, has a concurrency issue causing information leakage, related to a stale profile.
CVE-2015-4078LowMar 23, 2017
Cloudera
Navigator
risk 0.20cvss 3.1epss 0.00
Cloudera Navigator 2.2.x before 2.2.4 and 2.3.x before 2.3.3 include support for SSLv3 when configured to use SSL/TLS, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
CVE-2016-9697LowMar 20, 2017
RealNetworks
Rhapsody
risk 0.20cvss 3.1epss 0.00
An unspecified vulnerability in IBM Rhapsody DM 4.0, 5.0, and 6.0 could allow an attacker to perform a JSON Hijacking Attack. A JSON Hijacking Attack may expose to an attacker information passed between the server and the browser. IBM Reference #: 1999960.
CVE-2017-3319LowJan 27, 2017
Oracle Corporation
MySQL
risk 0.20cvss 3.1epss 0.01
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: X Plugin). Supported versions that are affected are 5.7.16 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise…
CVE-2016-2380LowJan 6, 2017
Pidgin (software)
Pidgin
risk 0.20cvss 3.1epss 0.01
An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and…