VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (6,499)

page 287 of 325
  • CVE-2011-4728Dec 16, 2011
    Parallels
    Parallels Plesk Panel
    risk 0.00cvss epss 0.01

    The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, as…

  • CVE-2011-4598Dec 15, 2011
    Digium
    Asterisk
    risk 0.00cvss epss 0.02

    The handle_request_info function in channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 and 1.8.x before 1.8.7.2, when automon is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted sequence of…

  • CVE-2011-4597Dec 15, 2011
    Asterisk
    Asterisk
    risk 0.00cvss epss 0.03

    The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate…

  • CVE-2011-0291Dec 8, 2011
    Blackberry
    PlayBook
    risk 0.00cvss epss 0.00

    The BlackBerry PlayBook service on the Research In Motion (RIM) BlackBerry PlayBook tablet with software before 1.0.8.6067 allows local users to gain privileges via a crafted configuration file in a backup archive.

  • CVE-2011-3179Dec 8, 2011
    Novell
    Groupwise Messenger
    risk 0.00cvss epss 0.01

    The server process in Novell Messenger 2.1 and 2.2.x before 2.2.1, and Novell GroupWise Messenger 2.04 and earlier, allows remote attackers to read from arbitrary memory locations via a crafted command.

  • CVE-2010-5069Dec 7, 2011
    Google
    Chrome
    risk 0.00cvss epss 0.01

    The Cascading Style Sheets (CSS) implementation in Google Chrome 4 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document. NOTE: this may overlap CVE-2010-2264.

  • CVE-2010-5068Dec 7, 2011
    Opera
    Opera
    risk 0.00cvss epss 0.01

    The Cascading Style Sheets (CSS) implementation in Opera 10.5 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document, a related issue to CVE-2010-2264.

  • CVE-2002-2436Dec 7, 2011
    Mozilla Corporation
    Firefox
    risk 0.00cvss epss 0.01

    The Cascading Style Sheets (CSS) implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted…

  • CVE-2011-4497Nov 21, 2011
    Asus
    Rt N56u Firmware
    risk 0.00cvss epss 0.01

    QIS_wizard.htm on the ASUS RT-N56U router with firmware before 1.0.1.4o allows remote attackers to obtain the administrator password via a flag=detect request.

  • CVE-2011-4457Nov 17, 2011
    Owasp Java HTML Sanitizer Project
    Owasp Java HTML Sanitizer
    risk 0.00cvss epss 0.01

    OWASP HTML Sanitizer (aka owasp-java-html-sanitizer) before 88, when JavaScript is disabled, allows user-assisted remote attackers to obtain potentially sensitive information via a crafted FORM element within a NOSCRIPT element.

  • CVE-2011-2774Nov 15, 2011
    Mahara (software)
    Mahara
    risk 0.00cvss epss 0.01

    The "Reply to message" feature in Mahara 1.3.x and 1.4.x before 1.4.1 allows remote authenticated users to read the messages of a different user via a modified replyto parameter.

  • CVE-2011-3441Nov 11, 2011
    Apple Inc.
    iOS
    risk 0.00cvss epss 0.02

    libinfo in Apple iOS before 5.0.1 does not properly formulate domain-name queries, which allows remote attackers to obtain sensitive information via a crafted DNS hostname.

  • CVE-2011-3653Nov 9, 2011
    Mozilla Corporation
    Firefox
    risk 0.00cvss epss 0.01

    Mozilla Firefox before 8.0 and Thunderbird before 8.0 on Mac OS X do not properly interact with the GPU memory behavior of a certain driver for Intel integrated GPUs, which allows remote attackers to bypass the Same Origin Policy and read image data via vectors related to WebGL…

  • CVE-2011-3649Nov 9, 2011
    Mozilla Corporation
    Firefox
    risk 0.00cvss epss 0.01

    Mozilla Firefox 7.0 and Thunderbird 7.0, when the Direct2D (aka D2D) API is used on Windows in conjunction with the Azure graphics back-end, allow remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data…

  • CVE-2011-1368Oct 29, 2011
    IBM
    Websphere Application Server
    risk 0.00cvss epss 0.02

    The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server 8.x before 8.0.0.1 does not properly handle requests, which allows remote attackers to read unspecified files via unknown vectors.

  • CVE-2011-3163Oct 23, 2011
    Microfocus
    MFP Digital Sending Software
    risk 0.00cvss epss 0.00

    HP MFP Digital Sending Software 4.9x through 4.91.21 allows local users to obtain sensitive workflow-metadata information via unspecified vectors.

  • CVE-2011-2059Oct 22, 2011
    Cisco Systems, Inc.
    Cisco iOS
    risk 0.00cvss epss 0.02

    The ipv6 component in Cisco IOS before 15.1(4)M1.3 allows remote attackers to conduct fingerprinting attacks and obtain potentially sensitive information about the presence of the IOS operating system via an ICMPv6 Echo Request packet containing a Hop-by-Hop (HBH) extension…

  • CVE-2011-2042Oct 22, 2011
    Cisco Systems, Inc.
    Ciscoworks Common Services
    risk 0.00cvss epss 0.01

    The Sybase SQL Anywhere database component in Cisco CiscoWorks Common Services 3.x and 4.x before 4.1 allows remote attackers to obtain potentially sensitive information about the engine name and database port via an unspecified request to UDP port 2638, aka Bug ID CSCsk35018.

  • CVE-2011-3431Oct 14, 2011
    Apple Inc.
    iOS
    risk 0.00cvss epss 0.00

    The Home screen component in Apple iOS before 5 does not properly support a certain application-switching gesture, which might allow physically proximate attackers to obtain sensitive state information by watching the device's screen.

  • CVE-2011-3427Oct 14, 2011
    Apple Inc.
    TV
    risk 0.00cvss epss 0.01

    The Data Security component in Apple iOS before 5 and Apple TV before 4.4 does not properly restrict use of the MD5 hash algorithm within X.509 certificates, which makes it easier for man-in-the-middle attackers to spoof servers or obtain sensitive information via a crafted…