VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 48 of 366
  • CVE-2015-2886HigApr 10, 2017
    risk 0.49cvss 7.5epss 0.01

    iBaby M6 allows remote attackers to obtain sensitive information, related to the ibabycloud.com service.

  • CVE-2015-2884HigApr 10, 2017
    risk 0.49cvss 7.5epss 0.01

    Philips In.Sight B120/37 allows remote attackers to obtain sensitive information via a direct request, related to yoics.net URLs, stream.m3u8 URIs, and cam_service_enable.cgi.

  • CVE-2014-2960HigApr 10, 2017
    risk 0.49cvss 7.5epss 0.01

    Vision Critical before 2014-05-30 allows attackers to read arbitrary files via unspecified vectors, as demonstrated by image files and configuration files.

  • CVE-2017-5649HigApr 4, 2017
    risk 0.49cvss 7.5epss 0.03

    Apache Geode before 1.1.1, when a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes…

  • CVE-2014-9692HigApr 2, 2017
    risk 0.49cvss 7.5epss 0.01

    Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285 V2 V100R002C00SPC115 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285H V2 V100R002C00SPC111 and earlier versions, Tecal RH2268 V2 V100R002C00, Tecal RH2288 V2…

  • CVE-2017-2382HigApr 2, 2017
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered in certain Apple products. macOS Server before 5.3 is affected. The issue involves the "Wiki Server" component. It allows remote attackers to enumerate user accounts via unspecified vectors.

  • CVE-2015-8625HigMar 23, 2017
    risk 0.49cvss 7.5epss 0.02

    MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array…

  • CVE-2016-5754HigMar 23, 2017
    risk 0.49cvss 7.5epss 0.01

    Presence of a .htaccess file could leak information in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before SP2.

  • CVE-2016-5752HigMar 23, 2017
    risk 0.49cvss 7.5epss 0.01

    The SAML2 implementation in Identity Server in NetIQ Access Manager 4.1 before 4.1.2 HF1 and 4.2 before 4.2.2 was handling unsigned SAML requests incorrectly, leaking results to a potentially malicious "Assertion Consumer Service URL" instead of the original requester.

  • CVE-2016-6650HigMar 21, 2017
    risk 0.49cvss 7.5epss 0.02

    EMC RecoverPoint versions prior to 5.0 and EMC RecoverPoint for Virtual Machines versions prior to 5.0 have an SSL Stripping Vulnerability that may potentially be exploited by malicious users to compromise the affected system.

  • CVE-2017-6318HigMar 20, 2017
    risk 0.49cvss 7.5epss 0.03

    saned in sane-backends 1.0.25 allows remote attackers to obtain sensitive memory information via a crafted SANE_NET_CONTROL_OPTION packet.

  • CVE-2016-9165HigMar 20, 2017
    risk 0.49cvss 7.5epss 0.04

    The get_sessions servlet in CA Unified Infrastructure Management (formerly CA Nimsoft Monitor) before 8.5 and CA Unified Infrastructure Management Snap (formerly CA Nimsoft Monitor Snap) allows remote attackers to obtain active session ids and consequently bypass authentication…

  • CVE-2015-3881HigMar 17, 2017
    risk 0.49cvss 7.5epss 0.02

    Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to (1) core/config/databases.yml, (2) core/log/qdPM_prod.log, or (3) core/apps/qdPM/config/settings.yml.

  • CVE-2014-8701HigMar 17, 2017
    risk 0.49cvss 7.5epss 0.01

    Wonder CMS 2014 allows remote attackers to obtain sensitive information by viewing /files/password, which reveals the unsalted MD5 hashed password.

  • CVE-2014-8688HigMar 14, 2017
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Telegram Messenger 2.6 for iOS and 1.8.2 for Android. Secret chat messages are available in cleartext in process memory and a .db file.

  • CVE-2016-4950HigMar 7, 2017
    risk 0.49cvss 7.5epss 0.02

    Cloudera Manager 5.5 and earlier allows remote attackers to enumerate user sessions via a request to /api/v11/users/sessions.

  • CVE-2016-4949HigMar 7, 2017
    risk 0.49cvss 7.5epss 0.02

    Cloudera Manager 5.5 and earlier allows remote attackers to obtain sensitive information via a (1) stderr.log or (2) stdout.log value in the filename parameter to /cmf/process/<process_id>/logs.

  • CVE-2016-3127HigMar 3, 2017
    risk 0.49cvss 7.5epss 0.01

    An information disclosure vulnerability in the logging implementation of BlackBerry Good Control Server versions earlier than 2.3.53.62 allows remote attackers to gain and use logged encryption keys to access certain resources within a customer's Good deployment by gaining…

  • CVE-2017-5995HigMar 1, 2017
    risk 0.49cvss 7.5epss 0.02

    The NetApp ONTAP Select Deploy administration utility 2.0 through 2.2.1 might allow remote attackers to obtain sensitive information via unspecified vectors.

  • CVE-2017-5927HigFeb 27, 2017
    risk 0.49cvss 7.5epss 0.02

    Page table walks conducted by the MMU during virtual to physical address translation leave a trace in the last level cache of modern ARM processors. By performing a side-channel attack on the MMU operations, it is possible to leak data and code pointers from JavaScript, breaking…