VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 24 of 366
  • CVE-2025-60858HigOct 28, 2025
    risk 0.49cvss 7.5epss 0.00

    Reolink Video Doorbell Wi-Fi DB_566128M5MP_W stores and transmits DDNS credentials in plaintext within its configuration and update scripts, allowing attackers to intercept or extract sensitive information.

  • CVE-2025-52268HigOct 27, 2025
    risk 0.49cvss 7.5epss 0.00

    StarCharge Artemis AC Charger 7-22 kW v1.0.4 was discovered to contain a hardcoded AES key which allows attackers to forge or decrypt valid login tokens.

  • CVE-2025-11145HigOct 24, 2025
    risk 0.49cvss 7.5epss 0.00

    Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account…

  • CVE-2025-6980HigOct 23, 2025
    risk 0.49cvss 7.5epss 0.00

    Captive Portal can expose sensitive information

  • CVE-2025-53066HigOct 21, 2025
    risk 0.49cvss 7.5epss 0.01

    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16…

  • CVE-2025-61220HigOct 21, 2025
    risk 0.49cvss 7.5epss 0.00

    The incomplete verification mechanism in the AutoBizLine com.mysecondline.app 1.2.91 allows attackers to log in as other users and gain unauthorized access to their personal information.

  • CVE-2025-10535HigSep 16, 2025
    risk 0.49cvss 7.5epss 0.00

    Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability was fixed in Firefox 143.

  • CVE-2025-56406HigSep 10, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP server is only intended…

  • CVE-2025-29089HigSep 9, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue in TP-Link AX10 Ax1500 v.1.3.10 Build (20230130) allows a remote attacker to obtain sensitive information

  • CVE-2025-43988HigAug 13, 2025
    risk 0.49cvss 7.5epss 0.00

    KuWFi 5G01-X55 FL2020_V0.0.12 devices expose an unauthenticated API endpoint (ajax_get.cgi), allowing remote attackers to retrieve sensitive configuration data, including admin credentials.

  • CVE-2025-33051HigAug 12, 2025
    risk 0.49cvss 7.5epss 0.01

    Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose information over a network.

  • CVE-2025-29745HigAug 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A vulnerability affecting the scanning module in Emsisoft Anti-Malware prior to 2024.12 allows attackers on a remote server to obtain Net-NTLMv2 hash information via a specially created A2S (Emsisoft Custom Scan) extension file.

  • CVE-2025-50708HigJul 18, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue in Perplexity AI GPT-4 v.2.51.0 allows a remote attacker to obtain sensitive information via the token component in the shared chat URL

  • CVE-2025-23173HigJun 19, 2025
    risk 0.49cvss 7.5epss 0.01

    The Versa Director SD-WAN orchestration platform provides direct web-based access to uCPE virtual machines through the Director GUI. By default, the websockify service is exposed on port 6080 and accessible from the internet. This exposure introduces significant risk, as…

  • CVE-2025-41230HigMay 20, 2025
    risk 0.49cvss 7.5epss 0.00

    VMware Cloud Foundation contains an information disclosure vulnerability. A malicious actor with network access to port 443 on VMware Cloud Foundation may exploit this issue to gain access to sensitive information.

  • CVE-2025-23174HigApr 21, 2025
    risk 0.49cvss 7.5epss 0.00

    CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • CVE-2025-28235HigApr 18, 2025
    risk 0.49cvss 7.5epss 0.00

    An information disclosure vulnerability in the component /socket.io/1/websocket/ of Soundcraft Ui Series Model(s) Ui12 and Ui16 Firmware v1.0.7x and v1.0.5x allows attackers to access Administrator credentials in plaintext.

  • CVE-2025-26167HigMar 6, 2025
    risk 0.49cvss 7.5epss 0.00

    Buffalo LS520D 4.53 is vulnerable to Arbitrary file read, which allows unauthenticated attackers to access the NAS web UI and read arbitrary internal files.

  • CVE-2025-25729HigFeb 28, 2025
    risk 0.49cvss 7.5epss 0.00

    An information disclosure vulnerability in Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 allows attackers to obtain hardcoded cleartext credentials via the update or boot process.

  • CVE-2025-25333HigFeb 27, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue in IKEA CN iOS 4.13.0 allows attackers to access sensitive user information via supplying a crafted link.