VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 32 of 366
  • CVE-2018-3652HigJul 10, 2018
    risk 0.49cvss 7.6epss 0.00

    Existing UEFI setting restrictions for DCI (Direct Connect Interface) in 5th and 6th generation Intel Xeon Processor E3 Family, Intel Xeon Scalable processors, and Intel Xeon Processor D Family allows a limited physical presence attacker to potentially access platform secrets…

  • CVE-2018-5892HigJul 6, 2018
    risk 0.49cvss 7.5epss 0.01

    The Touch Pal application can collect user behavior data without awareness by the user in Snapdragon Mobile and Snapdragon Wear.

  • CVE-2018-12997HigJun 29, 2018
    risk 0.49cvss 7.5epss 0.07

    Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers…

  • CVE-2018-12927HigJun 28, 2018
    risk 0.49cvss 7.5epss 0.01

    Northern Electric & Power (NEP) inverter devices allow remote attackers to obtain potentially sensitive information via a direct request for the nep/status/index/1 URI.

  • CVE-2018-12926HigJun 28, 2018
    risk 0.49cvss 7.5epss 0.01

    Pharos Controls devices allow remote attackers to obtain potentially sensitive information via a direct request for the default/index.lsp or default/log.lsp URI.

  • CVE-2018-12923HigJun 28, 2018
    risk 0.49cvss 7.5epss 0.01

    BWS Systems HA-Bridge devices allow remote attackers to obtain potentially sensitive information via a direct request for the #!/system URI.

  • CVE-2018-12921HigJun 28, 2018
    risk 0.49cvss 7.5epss 0.01

    Electro Industries GaugeTech Nexus devices allow remote attackers to obtain potentially sensitive information via a direct request for the meter_information.htm, diag_system.htm, or diag_dnp_lan_wan.htm URI.

  • CVE-2018-12920HigJun 28, 2018
    risk 0.49cvss 7.5epss 0.02

    Brickstream 2300 devices allow remote attackers to obtain potentially sensitive information via a direct request for the basic.html#ipsettings or basic.html#datadelivery URI.

  • CVE-2018-12907HigJun 27, 2018
    risk 0.49cvss 7.5epss 0.01

    In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a…

  • CVE-2018-10663HigJun 26, 2018
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in multiple models of Axis IP Cameras. There is an Incorrect Size Calculation.

  • CVE-2018-1000535HigJun 26, 2018
    risk 0.49cvss 7.5epss 0.02

    lms version <= LMS_011123 contains a Local File Disclosure vulnerability in File reading functionality in LMS module that can result in Possible to read files on the server. This attack appear to be exploitable via GET parameter. This vulnerability appears to have been fixed in…

  • CVE-2018-0584HigJun 26, 2018
    risk 0.49cvss 7.5epss 0.02

    IIJ SmartKey App for Android version 2.1.0 and earlier allows remote attackers to bypass authentication [effect_of_bypassing_authentication] via unspecified vectors.

  • CVE-2018-12735HigJun 25, 2018
    risk 0.49cvss 7.5epss 0.01

    SAJ Solar Inverter allows remote attackers to obtain potentially sensitive information via a direct request for the inverter_info.htm or english_main.htm URI.

  • CVE-2018-12594HigJun 20, 2018
    risk 0.49cvss 7.5epss 0.01

    Reliable Controls MACH-ProWebCom 7.80 devices allow remote attackers to obtain sensitive information via a direct request for the data/fileinfo.xml or job/job.json file, as demonstrated the Master Password field.

  • CVE-2018-12592HigJun 20, 2018
    risk 0.49cvss 7.5epss 0.01

    Polycom RealPresence Web Suite before 2.2.0 does not block a user's video for a few seconds upon joining a meeting (when the user has explicitly chosen to turn off the video using a specific option). During those seconds, a meeting invitee may unknowingly be on camera with other…

  • CVE-2018-5182HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    If a text string that happens to be a filename in the operating system's native format is dragged and dropped onto the addressbar the specified local file will be opened. This is contrary to policy and is what would happen if the string were the equivalent "file:" URL. This…

  • CVE-2018-5181HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    If a URL using the "file:" protocol is dragged and dropped onto an open tab that is running in a different child process the tab will open a local file corresponding to the dropped URL, contrary to policy. One way to make the target tab open more reliably in a separate process…

  • CVE-2018-5157HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. This vulnerability affects…

  • CVE-2018-5137HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    A legacy extension's non-contentaccessible, defined resources can be loaded by an arbitrary web page through script. This script does this by using a maliciously crafted path string to reference the resources. Note: this vulnerability does not affect WebExtensions. This…

  • CVE-2018-5134HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    WebExtensions may use "view-source:" URLs to view local "file:" URL content, as well as content stored in "about:cache", bypassing restrictions that only allow WebExtensions to view specific content. This vulnerability affects Firefox < 59.