VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 31 of 366
  • CVE-2018-16307HigSep 5, 2018
    risk 0.49cvss 7.5epss 0.02

    An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a…

  • CVE-2018-10911HigSep 4, 2018
    risk 0.49cvss 7.5epss 0.03

    A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value.

  • CVE-2018-14902HigAug 30, 2018
    risk 0.49cvss 7.5epss 0.01

    The ContentProvider in the EPSON iPrint application 6.6.3 for Android does not properly restrict data access. This allows an attacker's application to read scanned documents.

  • CVE-2017-15139HigAug 27, 2018
    risk 0.49cvss 7.5epss 0.01

    A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to…

  • CVE-2018-11654HigAug 24, 2018
    risk 0.49cvss 7.5epss 0.02

    Information disclosure in Netwave IP camera at get_status.cgi (via HTTP on port 8000) allows an unauthenticated attacker to exfiltrate sensitive information from the device.

  • CVE-2018-15661HigAug 21, 2018
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions and the ability to read SMS messages, then the Forgot Password screen can be used to bypass authentication.…

  • CVE-2018-14079HigAug 20, 2018
    risk 0.49cvss 7.5epss 0.01

    Wi2be SMART HP WMT R1.2.20_201400922 allows unauthorized remote attackers to obtain sensitive information via /Status/SystemStatusRpm.esp.

  • CVE-2018-8360HigAug 15, 2018
    risk 0.49cvss 7.5epss 0.09

    An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments, aka ".NET Framework Information Disclosure Vulnerability." This affects Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft…

  • CVE-2018-15125HigAug 13, 2018
    risk 0.49cvss 7.5epss 0.02

    Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.

  • CVE-2018-14785HigAug 10, 2018
    risk 0.49cvss 7.5epss 0.02

    NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The directory of the device is listed openly without authentication.

  • CVE-2018-14782HigAug 10, 2018
    risk 0.49cvss 7.5epss 0.02

    NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user.

  • CVE-2018-7686HigAug 9, 2018
    risk 0.49cvss 7.5epss 0.01

    Information leakage vulnerability in NetIQ eDirectory before 9.1.1 HF1 due to shared memory usage.

  • CVE-2018-14735HigAug 9, 2018
    risk 0.49cvss 7.5epss 0.01

    An Information Exposure issue was discovered in Hitachi Command Suite 8.5.3. A remote attacker may be able to exploit a flaw in the permission of messaging that may allow for information exposure via a crafted message.

  • CVE-2018-14928HigAug 3, 2018
    risk 0.49cvss 7.5epss 0.02

    /contingency/servlet/ServletFileDownload executes as root and provides unauthenticated access to files via the file parameter.

  • CVE-2018-5544HigJul 31, 2018
    risk 0.49cvss 7.5epss 0.02

    When the F5 BIG-IP APM 13.0.0-13.1.1 or 12.1.0-12.1.3 renders certain pages (pages with a logon agent or a confirm box), the BIG-IP APM may disclose configuration information such as partition and agent names via URI parameters.

  • CVE-2018-14083HigJul 25, 2018
    risk 0.49cvss 7.5epss 0.03

    LICA miniCMTS E8K(u/i/...) devices allow remote attackers to obtain sensitive information via a direct POST request for the inc/user.ini file, leading to discovery of a password hash.

  • CVE-2018-5386HigJul 24, 2018
    risk 0.49cvss 7.5epss 0.05

    Some Navarino Infinity functions, up to version 2.2, placed in the URL can bypass any authentication mechanism leading to an information leak.

  • CVE-2016-5638HigJul 24, 2018
    risk 0.49cvss 7.5epss 0.03

    There are few web pages associated with the genie app on the Netgear WNDR4500 running firmware version V1.0.1.40_1.0.6877. Genie app adds some capabilities over the Web GUI and can be accessed even when you are away from home. A remote attacker can access genie_ping.htm or…

  • CVE-2018-13860HigJul 17, 2018
    risk 0.49cvss 7.5epss 0.01

    MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18 allows unauthorized remote attackers to obtain sensitive information via the "/xml/menu/getObjectEditor.xml" URL, using a "?oid=systemSetup&id=_0" or…

  • CVE-2013-0589HigJul 11, 2018
    risk 0.49cvss 7.5epss 0.02

    IBM iNotes before 8.5.3 Fix Pack 6 and 9.x before 9.0.1 allows remote attackers to bypass the remote image filtering mechanism and obtain sensitive information via a crafted e-mail message. IBM X-Force ID: 83371.