VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 33 of 366
  • CVE-2018-5115HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.03

    If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Although the prompt contains the real domain making the request, this can result in user confusion about the…

  • CVE-2017-7843HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.03

    When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions…

  • CVE-2017-7787HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.

  • CVE-2017-7759HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.01

    Android intent URLs given to Firefox for Android can be used to navigate from HTTP or HTTPS URLs to local "file:" URLs, allowing for the reading of local data through a violation of same-origin policy. Note: This attack only affects Firefox for Android. Other operating systems…

  • CVE-2017-5454HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.03

    A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system. This vulnerability affects…

  • CVE-2017-5425HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    The Gecko Media Plugin sandbox allows access to local files that match specific regular expressions. On OS OX, this matching allows access to some data in subdirectories of "/private/var" that could expose personal or temporary data. This has been updated to not allow access to…

  • CVE-2017-5385HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    Data sent with in multipart channels, such as the multipart/x-mixed-replace MIME type, will ignore the referrer-policy response header, leading to potential information disclosure for sites using this header. This vulnerability affects Firefox < 51.

  • CVE-2017-5382HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    Feed preview for RSS feeds can be used to capture errors and exceptions generated by privileged content, allowing for the exposure of internal information not meant to be seen by web content. This vulnerability affects Firefox < 51.

  • CVE-2017-5378HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.03

    Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object's address can be discovered through hash codes, and also allows for data leakage of an object's content using these hash codes. This vulnerability affects Thunderbird <…

  • CVE-2016-9904HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.03

    An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. This vulnerability affects…

  • CVE-2018-12089HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.01

    In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set…

  • CVE-2018-4221HigJun 8, 2018
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. The issue involves the "Security" component. It allows web sites to track users by leveraging the transmission of S/MIME client certificates.

  • CVE-2017-16225HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    aegir is a module to help automate JavaScript project management. Version 12.0.0 through and including 12.0.7 bundled and published to npm the user (that performed a aegir-release) GitHub token.

  • CVE-2017-16206HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    The cofee-script module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

  • CVE-2017-16205HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    The coffescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

  • CVE-2017-16204HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    The jquey module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

  • CVE-2017-16203HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    The coffe-script module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

  • CVE-2017-16202HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    The cofeescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

  • CVE-2017-16081HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

  • CVE-2017-16080HigJun 7, 2018
    risk 0.49cvss 7.5epss 0.01

    nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.