VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 26 of 366
  • CVE-2025-25729HigFeb 28, 2025
    risk 0.49cvss 7.5epss 0.00

    An information disclosure vulnerability in Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 allows attackers to obtain hardcoded cleartext credentials via the update or boot process.

  • CVE-2025-25333HigFeb 27, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue in IKEA CN iOS 4.13.0 allows attackers to access sensitive user information via supplying a crafted link.

  • CVE-2024-57716HigFeb 20, 2025
    risk 0.49cvss 7.5epss 0.01

    An issue in trenoncourt AutoQueryable v.1.7.0 allows a remote attacker to obtain sensitive information via the Unselectable function.

  • CVE-2024-13622HigFeb 18, 2025
    risk 0.49cvss 7.5epss 0.00

    The File Uploads Addon for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely…

  • CVE-2024-51123HigFeb 12, 2025
    risk 0.49cvss 7.5epss 0.01

    An issue in Zertificon Z1 SecureMail Z1 SecureMail Gateway 4.44.2-7240-debian12 allows a remote attacker to obtain sensitive information via the /compose-pdf.xhtml?convid=[id] component.

  • CVE-2024-55272HigFeb 7, 2025
    risk 0.49cvss 7.5epss 0.01

    An issue in Brainasoft Braina v2.8 allows a remote attacker to obtain sensitive information via the chat window function.

  • CVE-2025-22918HigFeb 3, 2025
    risk 0.49cvss 7.5epss 0.00

    Polycom RealPresence Group 500 <=20 has Insecure Permissions due to automatically loaded cookies. This allows for the use of administrator functions, resulting in the leakage of sensitive user information.

  • CVE-2024-34897HigFeb 3, 2025
    risk 0.49cvss 7.5epss 0.00

    Nedis SmartLife android app v1.4.0 was discovered to contain an API key disclosure vulnerability.

  • CVE-2024-48310HigJan 28, 2025
    risk 0.49cvss 7.5epss 0.01

    AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information.

  • CVE-2024-48125HigJan 15, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue in the AsDB service of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to enumerate user credentials via crafted GIOP protocol requests.

  • CVE-2024-47922HigDec 30, 2024
    risk 0.49cvss 7.5epss 0.00

    Priority – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • CVE-2024-56509HigDec 27, 2024
    risk 0.49cvss 8.6epss 0.01

    changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur…

  • CVE-2024-21549HigDec 20, 2024
    risk 0.49cvss 8.6epss 0.01

    Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, which allows for arbitrary file reading on a…

  • CVE-2024-51163HigNov 20, 2024
    risk 0.49cvss 7.5epss 0.01

    A Local File Inclusion vulnerability in Vegam Solutions Vegam 4i versions 6.3.47.0 and earlier allows a remote attacker to obtain sensitive information through the print label function. Specifically, the filePathList parameter is susceptible to LFI, enabling a malicious user to…

  • CVE-2024-47915HigNov 14, 2024
    risk 0.49cvss 7.5epss 0.00

    VaeMendis - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • CVE-2024-6861HigNov 6, 2024
    risk 0.49cvss 7.5epss 0.01

    A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API.

  • CVE-2024-48824HigOct 14, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to obtain sensitive information via the Racine & FileName parameters in the download-file.php component.

  • CVE-2024-48789HigOct 14, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue in INATRONIC com.inatronic.drivedeck.home 2.6.23 allows a remote attacker to obtain sensitve information via the firmware update process.

  • CVE-2024-48799HigOct 14, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue in LOREX TECHNOLOGY INC com.lorexcorp.lorexping 1.4.22 allows a remote attacker to obtain sensitive information via the firmware update process.

  • CVE-2024-48798HigOct 14, 2024
    risk 0.49cvss 7.5epss 0.01

    An issue in Hubble Connected (com.hubbleconnected.vervelife) 2.00.81 allows a remote attacker to obtain sensitive information via the firmware update process.