VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (6,463)

page 300 of 324
  • CVE-2010-2758Aug 16, 2010
    Mozilla Corporation
    Bugzilla
    risk 0.00cvss epss 0.01

    Bugzilla 2.17.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 generates different error messages depending on whether a product exists, which makes it easier for remote attackers to guess product names via unspecified use of the (1) Reports or…

  • CVE-2010-2989Aug 10, 2010
    Tenable
    Web Server Plugin
    risk 0.00cvss epss 0.00

    nessusd_www_server.nbin in the Nessus Web Server plugin 1.2.4 for Nessus allows remote attackers to obtain sensitive information via a request to the /feed method, which reveals the version in a response.

  • CVE-2010-2982Aug 10, 2010
    Cisco Systems, Inc.
    Unified Wireless Network Solution Software
    risk 0.00cvss epss 0.00

    Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 allows remote attackers to discover a group password via a series of SNMP requests, as demonstrated by an SNMP walk, aka Bug ID CSCtb74037.

  • CVE-2010-2975Aug 10, 2010
    Cisco Systems, Inc.
    Unified Wireless Network Solution Software
    risk 0.00cvss epss 0.00

    Cisco Unified Wireless Network (UWN) Solution 7.x through 7.0.98.0 does not properly handle multiple SSH sessions, which allows physically proximate attackers to read a password, related to an "arrow key failure," aka Bug ID CSCtg51544.

  • CVE-2010-2791Aug 5, 2010
    Apache
    HTTP Server
    risk 0.00cvss epss 0.02

    mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different…

  • CVE-2010-1796Jul 30, 2010
    Apple Inc.
    Safari
    risk 0.00cvss epss 0.00

    The AutoFill feature in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4, allows remote attackers to obtain sensitive Address Book Card information via JavaScript code that forces keystroke events for input fields.

  • CVE-2010-2913Jul 30, 2010
    Citibank
    Citi Mobile
    risk 0.00cvss epss 0.00

    The Citibank Citi Mobile app before 2.0.3 for iOS stores account data in a file, which allows local users to obtain sensitive information via vectors involving (1) the mobile device or (2) a synchronized computer.

  • CVE-2010-2754Jul 30, 2010
    Mozilla Corporation
    Firefox
    risk 0.00cvss epss 0.00

    dom/base/nsJSEnvironment.cpp in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 does not properly suppress a script's URL in certain circumstances involving a redirect and an error…

  • CVE-2010-2859Jul 25, 2010
    Boesch It
    Simpnews
    risk 0.00cvss epss 0.00

    news.php in SimpNews 2.47.3 and earlier allows remote attackers to obtain sensitive information via an invalid lang parameter, which reveals the installation path in an error message.

  • CVE-2009-4951Jul 22, 2010
    TYPO3
    ClickStream Analyzer [output]
    risk 0.00cvss epss 0.00

    Unspecified vulnerability in the ClickStream Analyzer [output] (alternet_csa_out) extension 0.3.0 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.

  • CVE-2009-4943Jul 22, 2010
    Impactsoftcompany
    Adpeeps
    risk 0.00cvss epss 0.00

    index.php in AdPeeps 8.5d1 allows remote attackers to obtain sensitive information via (1) a view_adrates action with an invalid uid parameter, which reveals the installation path in an error message; or (2) an adminlogin action with a crafted uid parameter, which reveals the…

  • CVE-2010-2659Jul 8, 2010
    Opera
    Opera
    risk 0.00cvss epss 0.01

    Opera before 10.50 on Windows, before 10.52 on Mac OS X, and before 10.60 on UNIX platforms makes widget properties accessible to third-party domains, which allows remote attackers to obtain potentially sensitive information via a crafted web site.

  • CVE-2010-2612Jul 2, 2010
    Microfocus
    Openvms
    risk 0.00cvss epss 0.00

    Unspecified vulnerability in the HP OpenVMS Auditing feature in OpenVMS ALPHA 7.3-2, 8.2, and 8.3; and OpenVMS for Integrity Servers 8.3 AND 8.3-1H1; allows local users to obtain sensitive information via unknown vectors.

  • CVE-2010-1407Jun 22, 2010
    Apple Inc.
    Webkit
    risk 0.00cvss epss 0.01

    WebKit in Apple iOS before 4 on the iPhone and iPod touch does not properly implement the history.replaceState method in certain situations involving IFRAME elements, which allows remote attackers to obtain sensitive information via a crafted HTML document.

  • CVE-2010-2326Jun 18, 2010
    IBM
    Websphere Application Server
    risk 0.00cvss epss 0.00

    IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11, when addNode -trace is used during node federation, allows attackers to obtain sensitive information about CIMMetadataCollectorImpl trace actions by reading the addNode.log file.

  • CVE-2010-2323Jun 18, 2010
    IBM
    Websphere Application Server
    risk 0.00cvss epss 0.00

    IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS might allow attackers to obtain sensitive information by reading the default_create.log file that is associated with profile creation by the BBOWWPFx job and the zPMT.

  • CVE-2010-2264Jun 11, 2010
    Apple Inc.
    Safari
    risk 0.00cvss epss 0.01

    The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information…

  • CVE-2010-1406Jun 11, 2010
    Apple Inc.
    Safari
    risk 0.00cvss epss 0.01

    WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, sends an https URL in the Referer header of an http request in certain circumstances involving https to http redirection, which allows remote HTTP servers to obtain…

  • CVE-2010-1393Jun 11, 2010
    Apple Inc.
    Safari
    risk 0.00cvss epss 0.01

    The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to discover sensitive URLs via an HREF attribute associated with a redirecting URL.

  • CVE-2010-1388Jun 11, 2010
    Apple Inc.
    Safari
    risk 0.00cvss epss 0.01

    WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6, and before 4.1 on Mac OS X 10.4, does not properly handle clipboard (1) drag and (2) paste operations for URLs, which allows user-assisted remote attackers to read arbitrary files via a crafted HTML document.