CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Description
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79
CVEs mapped to this weakness (7,319)
page 22 of 366| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-3765 | Hig | 0.50 | 7.7 | 0.00 | Jul 11, 2016 | decoder/impeg2d_bitstream.c in mediaserver in Android 6.x before 2016-07-01 allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a crafted application, aka internal bug 28168413. | ||
| CVE-2016-0267 | Hig | 0.50 | 7.7 | 0.01 | Jun 29, 2016 | IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1 allows remote authenticated users to obtain sensitive cleartext secure-property information via (1) the server UI or (2) a database request. | ||
| CVE-2016-1079 | Hig | 0.50 | 7.5 | 0.10 | May 11, 2016 | Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to obtain sensitive information from process memory via unspecified vectors, a… | ||
| CVE-2016-0047 | Hig | 0.50 | 7.5 | 0.21 | Feb 10, 2016 | WinForms in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 allows remote attackers to obtain sensitive information from process memory via crafted icon data, aka "Windows Forms Information Disclosure Vulnerability." | ||
| CVE-2026-50870 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request. | ||
| CVE-2026-39007 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component. | ||
| CVE-2026-36719 | Hig | 0.49 | 7.5 | 0.00 | Jun 9, 2026 | An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs. | ||
| CVE-2026-50210 | Hig | 0.49 | 7.5 | 0.00 | Jun 4, 2026 | The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption. | ||
| CVE-2026-49193 | Hig | 0.49 | 7.5 | 0.00 | Jun 4, 2026 | Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet. | ||
| CVE-2026-49187 | Hig | 0.49 | 7.5 | 0.00 | Jun 4, 2026 | The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse. | ||
| CVE-2026-41032 | Hig | 0.49 | 7.5 | 0.00 | Jun 3, 2026 | It is possible for an unauthenticated adjacent attacker to download log files of the controller, which may disclose some restricted information. | ||
| CVE-2026-45332 | Hig | 0.49 | 7.5 | 0.00 | May 28, 2026 | Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The… | ||
| CVE-2026-8967 | Hig | 0.49 | 7.5 | 0.00 | May 19, 2026 | Information disclosure in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | ||
| CVE-2026-8966 | Hig | 0.49 | 7.5 | 0.00 | May 19, 2026 | Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | ||
| CVE-2026-8965 | Hig | 0.49 | 7.5 | 0.00 | May 19, 2026 | Information disclosure in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | ||
| CVE-2026-31909 | Hig | 0.49 | 7.5 | 0.00 | May 19, 2026 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||
| CVE-2026-39079 | Hig | 0.49 | 7.5 | 0.00 | May 18, 2026 | An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components | ||
| CVE-2026-28976 | — | Hig | 0.49 | 7.5 | 0.00 | May 11, 2026 | An information leakage was addressed with additional validation. This issue is fixed in macOS Tahoe 26.5. An app may be able to gain root privileges. | |
| CVE-2026-28962 | — | Hig | 0.49 | 7.5 | 0.00 | May 11, 2026 | This issue was addressed with improved access restrictions. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may disclose sensitive user information. | |
| CVE-2026-34091 | Hig | 0.49 | 7.5 | 0.00 | May 11, 2026 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2. |
- risk 0.50cvss 7.7epss 0.00
decoder/impeg2d_bitstream.c in mediaserver in Android 6.x before 2016-07-01 allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a crafted application, aka internal bug 28168413.
- risk 0.50cvss 7.7epss 0.01
IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1 allows remote authenticated users to obtain sensitive cleartext secure-property information via (1) the server UI or (2) a database request.
- risk 0.50cvss 7.5epss 0.10
Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to obtain sensitive information from process memory via unspecified vectors, a…
- risk 0.50cvss 7.5epss 0.21
WinForms in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 allows remote attackers to obtain sensitive information from process memory via crafted icon data, aka "Windows Forms Information Disclosure Vulnerability."
- risk 0.49cvss 7.5epss 0.00
An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.
- risk 0.49cvss 7.5epss 0.00
An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component.
- risk 0.49cvss 7.5epss 0.00
An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.
- risk 0.49cvss 7.5epss 0.00
The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption.
- risk 0.49cvss 7.5epss 0.00
Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet.
- risk 0.49cvss 7.5epss 0.00
The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse.
- risk 0.49cvss 7.5epss 0.00
It is possible for an unauthenticated adjacent attacker to download log files of the controller, which may disclose some restricted information.
- risk 0.49cvss 7.5epss 0.00
Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The…
- risk 0.49cvss 7.5epss 0.00
Information disclosure in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
- risk 0.49cvss 7.5epss 0.00
Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
- risk 0.49cvss 7.5epss 0.00
Information disclosure in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
- risk 0.49cvss 7.5epss 0.00
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
- risk 0.49cvss 7.5epss 0.00
An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components
- risk 0.49cvss 7.5epss 0.00
An information leakage was addressed with additional validation. This issue is fixed in macOS Tahoe 26.5. An app may be able to gain root privileges.
- risk 0.49cvss 7.5epss 0.00
This issue was addressed with improved access restrictions. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may disclose sensitive user information.
- risk 0.49cvss 7.5epss 0.00
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.