VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 46 of 366
  • CVE-2017-6045HigJun 21, 2017
    risk 0.49cvss 7.5epss 0.02

    An Information Exposure issue was discovered in Trihedral VTScada Versions prior to 11.2.26. Some files are exposed within the web server application to unauthenticated users. These files may contain sensitive configuration information.

  • CVE-2017-3087HigJun 20, 2017
    risk 0.49cvss 7.5epss 0.03

    Adobe Captivate versions 9 and earlier have an information disclosure vulnerability resulting from abuse of the quiz reporting feature in Captivate.

  • CVE-2017-3743HigJun 20, 2017
    risk 0.49cvss 7.5epss 0.01

    If multiple users are concurrently logged into a single system where one user is sending a command via the Lenovo ToolsCenter Advanced Settings Utility (ASU), UpdateXpress System Pack Installer (UXSPI) or Dynamic System Analysis (DSA) to a second machine, the other users may be…

  • CVE-2017-8450HigJun 16, 2017
    risk 0.49cvss 7.5epss 0.01

    X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information.

  • CVE-2017-9731HigJun 16, 2017
    risk 0.49cvss 7.5epss 0.01

    In meta/classes/package_ipk.bbclass in Poky in poky-pyro 17.0.0 for Yocto Project through YP Core - Pyro 2.3, attackers can obtain sensitive information by reading a URL in a Source entry in an ipk package.

  • CVE-2015-7732HigJun 15, 2017
    risk 0.49cvss 7.5epss 0.01

    The Avira Mobile Security app before 1.5.11 for iOS sends sensitive login information in cleartext.

  • CVE-2017-1379HigJun 15, 2017
    risk 0.49cvss 7.5epss 0.02

    IBM API Connect 5.0.0.0 could allow a remote attacker to obtain sensitive information, caused by improper handling of requests to the Developer Portal. IBM X-Force ID: 127002.

  • CVE-2017-6681HigJun 13, 2017
    risk 0.49cvss 7.5epss 0.03

    A vulnerability in the AutoVNF VNFStagingView class of Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to execute a relative path traversal attack, enabling an attacker to read sensitive files on the system. More Information: CSCvc76662. Known…

  • CVE-2016-7814HigJun 9, 2017
    risk 0.49cvss 7.5epss 0.03

    I-O DATA DEVICE TS-WRLP firmware version 1.00.01 and earlier and TS-WRLA firmware version 1.00.01 and earlier allow remote attackers to obtain authentication credentials via unspecified vectors.

  • CVE-2016-5416HigJun 8, 2017
    risk 0.49cvss 7.5epss 0.03

    389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to read the default Access Control…

  • CVE-2016-4992HigJun 8, 2017
    risk 0.49cvss 7.5epss 0.02

    389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to infer the existence of RDN component…

  • CVE-2015-2251HigJun 8, 2017
    risk 0.49cvss 7.5epss 0.01

    The DeviceManager in Huawei OceanStor UDS devices with software before V100R002C01SPC102 might allow remote attackers to obtain sensitive information via a crafted UDS patch with JavaScript.

  • CVE-2017-7313HigJun 7, 2017
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Personify360 e-Business 7.5.2 through 7.6.1. When going to the /TabId/275 URI, it is possible to read any customer name, master Customer Id, and email address. In other words, anyone can search for users/customers in the system - no authentication is…

  • CVE-2016-8230HigJun 4, 2017
    risk 0.49cvss 7.5epss 0.01

    In Lenovo Service Bridge before version 4, an insecure HTTP connection is used by LSB to send system serial number, machine type and model and product name to Lenovo's servers.

  • CVE-2017-2304HigMay 30, 2017
    risk 0.49cvss 7.5epss 0.02

    Juniper Networks QFX3500, QFX3600, QFX5100, QFX5200, EX4300 and EX4600 devices running Junos OS 14.1X53 prior to 14.1X53-D40, 15.1X53 prior to 15.1X53-D40, 15.1 prior to 15.1R2, do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory…

  • CVE-2017-7338HigMay 27, 2017
    risk 0.49cvss 7.5epss 0.01

    A password management vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to carry out information disclosure via the FortiAnalyzer Management View.

  • CVE-2017-7439HigMay 26, 2017
    risk 0.49cvss 7.5epss 0.02

    NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 might allow remote attackers to obtain sensitive information via vectors involving error messages.

  • CVE-2015-6586HigMay 23, 2017
    risk 0.49cvss 7.5epss 0.01

    The mDNS module in Huawei WLAN AC6005, AC6605, and ACU2 devices with software before V200R006C00SPC100 allows remote attackers to obtain sensitive information by leveraging failure to restrict processing of mDNS unicast queries to the link local network.

  • CVE-2017-9149HigMay 22, 2017
    risk 0.49cvss 7.5epss 0.02

    Metadata Anonymisation Toolkit (MAT) 0.6 and 0.6.1 silently fails to perform "Clean metadata" actions upon invocation from the Nautilus contextual menu, which allows context-dependent attackers to obtain sensitive information by reading a file for which cleaning had been…

  • CVE-2017-9134HigMay 21, 2017
    risk 0.49cvss 7.5epss 0.01

    An information-leakage issue was discovered on Mimosa Client Radios before 2.2.3 and Mimosa Backhaul Radios before 2.2.3. There is a page in the web interface that will show you the device's serial number, regardless of whether or not you have logged in. This information-leakage…