VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 43 of 366
  • CVE-2017-11122HigOct 4, 2017
    risk 0.49cvss 7.5epss 0.02

    On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can trigger an information leak due to insufficient length validation, related to ICMPv6 router advertisement offloading.

  • CVE-2017-0825HigOct 4, 2017
    risk 0.49cvss 7.5epss 0.00

    An information disclosure vulnerability in the Broadcom wifi driver. Product: Android. Versions: Android kernel. Android ID: A-37305633. References: B-V2017063002.

  • CVE-2017-0823HigOct 4, 2017
    risk 0.49cvss 7.5epss 0.01

    An information disclosure vulnerability in the Android system (rild). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37896655.

  • CVE-2017-0817HigOct 4, 2017
    risk 0.49cvss 7.5epss 0.01

    An information disclosure vulnerability in the Android media framework (libstagefright). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63522430.

  • CVE-2017-0814HigOct 4, 2017
    risk 0.49cvss 7.5epss 0.01

    An information disclosure vulnerability in the Android media framework (n/a). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62800140.

  • CVE-2017-0808HigOct 4, 2017
    risk 0.49cvss 7.5epss 0.01

    An information disclosure vulnerability in the Android framework (file system). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62301183.

  • CVE-2014-9616HigSep 19, 2017
    risk 0.49cvss 7.5epss 0.02

    Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to obtain sensitive information by making a request that redirects to the deny page.

  • CVE-2017-14404HigSep 13, 2017
    risk 0.49cvss 7.5epss 0.02

    The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows local file inclusion via the tool_list parameter (aka the url_tool variable) to module/tool_all/select_tool.php, as demonstrated by a tool_list=php://filter/ substring.

  • CVE-2017-1162HigSep 12, 2017
    risk 0.49cvss 7.5epss 0.02

    IBM QRadar 7.2 and 7.3 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 122957.

  • CVE-2017-2550HigSep 8, 2017
    risk 0.49cvss 7.5epss 0.01

    Vulnerability in Easy Joomla Backup v3.2.4. The software creates a copy of the backup in the web root with an easily guessable filename.

  • CVE-2017-14099HigSep 2, 2017
    risk 0.49cvss 7.5epss 0.04

    In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an…

  • CVE-2017-14053HigSep 1, 2017
    risk 0.49cvss 7.5epss 0.02

    NetApp OnCommand Unified Manager for Clustered Data ONTAP before 7.2P1 does not set the secure flag for an unspecified cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

  • CVE-2017-12734HigAug 30, 2017
    risk 0.49cvss 7.5epss 0.01

    A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V1.81.2). An attacker with network access to the integrated web server on port 80/tcp could obtain the session ID of an active user session. A user must be logged in to the web interface.…

  • CVE-2017-0379HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.04

    Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c.

  • CVE-2017-3154HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.02

    Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating included stack trace, exposing excessive information.

  • CVE-2015-7255HigAug 29, 2017
    risk 0.49cvss 7.5epss 0.02

    ZTE OX-330P, ZXHN H108N, W300V1.0.0S_ZRD_TR1_D68, HG110, GAN9.8T101A-B, MF28G, ZXHN H108N use non-unique X.509 certificates and SSH host keys, which might allow remote attackers to obtain credentials or other sensitive information via a man-in-the-middle attack, passive…

  • CVE-2015-1600HigAug 28, 2017
    risk 0.49cvss 7.5epss 0.03

    Information disclosure vulnerability in Netatmo Indoor Module firmware 100 and earlier.

  • CVE-2014-9483HigAug 28, 2017
    risk 0.49cvss 7.5epss 0.03

    Emacs 24.4 allows remote attackers to bypass security restrictions.

  • CVE-2015-1800HigAug 24, 2017
    risk 0.49cvss 7.5epss 0.03

    The samsung_extdisp driver in the Samsung S4 (GT-I9500) I9500XXUEMK8 kernel 3.4 and earlier allows attackers to potentially obtain sensitive information.

  • CVE-2017-9512HigAug 24, 2017
    risk 0.49cvss 7.5epss 0.02

    The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible, before version 4.4.1 allows anonymous remote attackers to access sensitive information, for example email addresses of committers, as it lacked permission checks.