VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (6,341)

page 158 of 318
  • CVE-2018-8145May 9, 2018
    Microsoft
    Internet Explorer
    risk 0.09cvss epss 0.72

    An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the user's computer or data, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This…

  • CVE-2015-6127Dec 9, 2015
    Microsoft
    Windows Vista
    risk 0.09cvss epss 0.72

    Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows remote attackers to read arbitrary files via a crafted .mcl file, aka "Windows Media Center Information Disclosure Vulnerability."

  • CVE-2015-2997Jun 8, 2015
    Inverseflow
    Help Desk
    risk 0.09cvss epss 0.81

    SysAid Help Desk before 15.2 allows remote attackers to obtain sensitive information via an invalid value in the accountid parameter to getAgentLogFile, as demonstrated by a large directory traversal sequence, which reveals the installation path in an error message.

  • CVE-2014-0644Apr 17, 2014
    EMC Corporation
    Cloud Tiering Appliance
    risk 0.09cvss epss 0.74

    EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by…

  • CVE-2013-4826Oct 13, 2013
    Microfocus
    Intelligent Management Center
    risk 0.09cvss epss 0.77

    Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Service Operation Management Software Module allows remote attackers to obtain sensitive information via unknown vectors, aka ZDI-CAN-1647.

  • CVE-2011-3497Sep 16, 2011
    Measuresoft
    Scadapro
    risk 0.09cvss epss 0.72

    service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary DLL functions via the XF function, possibly related to an insecure exposed method.

  • CVE-2011-3011Aug 15, 2011
    Ca
    Arcserve D2d
    risk 0.09cvss epss 0.70

    BaseServiceImpl.class in CA ARCserve D2D r15 does not properly handle sessions, which allows remote attackers to obtain credentials, and consequently execute arbitrary commands, via unspecified vectors.

  • CVE-2010-2333Jun 18, 2010
    Litespeedtech
    Litespeed Web Server
    risk 0.09cvss epss 0.76

    LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scripts via an HTTP request with a null byte followed by a .txt file extension.

  • CVE-2025-12738LowJan 22, 2026
    risk 0.08cvss epss 0.00

    Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its…

  • CVE-2021-22145Jul 21, 2021
    Elastic
    Elasticsearch
    risk 0.08cvss epss 0.68

    A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used…

  • CVE-2015-6086Nov 11, 2015
    Microsoft
    Internet Explorer
    risk 0.08cvss epss 0.58

    Microsoft Internet Explorer 9 through 11 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability."

  • CVE-2015-2998Jun 8, 2015
    Inverseflow
    Help Desk
    risk 0.08cvss epss 0.62

    SysAid Help Desk before 15.2 uses a hardcoded encryption key, which makes it easier for remote attackers to obtain sensitive information, as demonstrated by decrypting the database password in WEB-INF/conf/serverConf.xml.

  • CVE-2014-7883Feb 15, 2015
    Microfocus
    Universal Configuration Management Database
    risk 0.08cvss epss 0.58

    HP Universal CMDB (UCMDB) Probe 9.05, 10.01, and 10.11 enables the HTTP TRACE method, which allows remote attackers to obtain sensitive information by reading the headers of a response.

  • CVE-2014-7992Nov 18, 2014
    Cisco Systems, Inc.
    Cisco iOS
    risk 0.08cvss epss 0.61

    The DLSw implementation in Cisco IOS does not initialize packet buffers, which allows remote attackers to obtain sensitive credential information from process memory via a session on TCP port 2067, aka Bug ID CSCur14014.

  • CVE-2014-5377Sep 4, 2014
    Manageengine
    Device Expert
    risk 0.08cvss epss 0.68

    ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.

  • CVE-2011-1892Sep 15, 2011
    Microsoft
    Sharepoint Services
    risk 0.08cvss epss 0.65

    Microsoft Office Groove 2007 SP2, SharePoint Workspace 2010 Gold and SP1, Office Forms Server 2007 SP2, Office SharePoint Server 2007 SP2, Office SharePoint Server 2010 Gold and SP1, Office Groove Data Bridge Server 2007 SP2, Office Groove Management Server 2007 SP2, Groove…

  • CVE-2010-4804Jun 9, 2011
    Google
    Android
    risk 0.08cvss epss 0.62

    The Android browser in Android before 2.3.4 allows remote attackers to obtain SD card contents via crafted content:// URIs, related to (1) BrowserActivity.java and (2) BrowserSettings.java in com/android/browser/.

  • CVE-2009-1140Jun 10, 2009
    Microsoft
    Internet Explorer
    risk 0.08cvss epss 0.61

    Microsoft Internet Explorer 5.01 SP4; 6 SP1; 6 and 7 for Windows XP SP2 and SP3; 6 and 7 for Server 2003 SP2; 7 for Vista Gold, SP1, and SP2; and 7 for Server 2008 SP2 does not prevent HTML rendering of cached content, which allows remote attackers to bypass the Same Origin…

  • CVE-2008-4033Nov 12, 2008
    Microsoft
    XML Core Services
    risk 0.08cvss epss 0.63

    Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP…

  • CVE-2008-4029Nov 12, 2008
    Microsoft
    Internet Explorer
    risk 0.08cvss epss 0.60

    Cross-domain vulnerability in Microsoft XML Core Services 3.0 and 4.0, as used in Internet Explorer, allows remote attackers to obtain sensitive information from another domain via a crafted XML document, related to improper error checks for external DTDs, aka "MSXML DTD…