VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 57 of 366
  • CVE-2024-32670HigJul 10, 2024
    risk 0.46cvss epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor in Samsung Galaxy SmartTag2 prior to 0.20.04 allows attackes to potentially identify the tag's location by scanning the BLE adversting.

  • CVE-2023-6572HigDec 14, 2023
    risk 0.46cvss 8.1epss 0.02

    Command Injection in GitHub repository gradio-app/gradio prior to main.

  • CVE-2023-37379HigAug 23, 2023
    risk 0.46cvss 8.1epss 0.01

    Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by…

  • CVE-2023-37260HigJul 6, 2023
    risk 0.46cvss 8.2epss 0.01

    league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in…

  • CVE-2023-33568HigJun 13, 2023
    risk 0.46cvss 7.5epss 0.15

    An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.

  • CVE-2022-4734HigDec 27, 2022
    risk 0.46cvss 8.1epss 0.01

    Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2022-31112HigJun 30, 2022
    risk 0.46cvss 8.2epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from…

  • CVE-2022-1650HigMay 12, 2022
    risk 0.46cvss 8.1epss 0.02

    Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.

  • CVE-2022-21671HigJan 11, 2022
    risk 0.46cvss 8.1epss 0.01

    @replit/crosis is a JavaScript client that speaks Replit's container protocol. A vulnerability that involves exposure of sensitive information exists in versions prior to 7.3.1. When using this library as a way to programmatically communicate with Replit in a standalone fashion,…

  • CVE-2021-21421HigApr 1, 2021
    risk 0.46cvss 8.1epss 0.01

    node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too This is fixed in node-etsy-client v0.3.0 and later.

  • CVE-2018-7921MedSep 12, 2018
    risk 0.46cvss 6.5epss 0.13

    Huawei B315s-22 products with software of 21.318.01.00.26 have an information leak vulnerability. Unauthenticated adjacent attackers may exploit this vulnerability to obtain device information.

  • CVE-2013-0522HigJul 16, 2018
    risk 0.46cvss 7.0epss 0.00

    The Notes Client Single Logon feature in IBM Notes 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3, and 9.0 on Windows allows local users to discover passwords via vectors involving an unspecified operating system communication mechanism for password transmission between Windows and…

  • CVE-2018-10596HigJul 3, 2018
    risk 0.46cvss 7.1epss 0.01

    Medtronic 2090 CareLink Programmer uses a virtual private network connection to securely download updates. It does not verify it is still connected to this virtual private network before downloading updates. The affected products initially establish an encapsulated IP-based…

  • CVE-2018-5751MedJun 16, 2018
    risk 0.46cvss 6.5epss 0.09

    The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via vectors related to the…

  • CVE-2014-2885HigMar 19, 2018
    risk 0.46cvss 7.1epss 0.00

    Multiple integer overflows in TrueCrypt 7.1a allow local users to (1) obtain sensitive information via vectors involving a crafted item->OriginalLength value in the MainThreadProc function in EncryptedIoQueue.c or (2) cause a denial of service (memory consumption) via vectors…

  • CVE-2018-7704MedMar 15, 2018
    risk 0.46cvss 6.5epss 0.05

    SecurEnvoy SecurMail before 9.2.501 allows remote authenticated users to read arbitrary e-mail messages via the option1 parameter in a reply action to secmail/getmessage.exe.

  • CVE-2014-4995HigJan 10, 2018
    risk 0.46cvss 7.0epss 0.00

    Race condition in lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allows local users to obtain sensitive information by reading the MySQL root password from a temporary file before it is removed.

  • CVE-2017-12622HigJan 10, 2018
    risk 0.46cvss 7.1epss 0.02

    When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges.

  • CVE-2017-4948HigJan 5, 2018
    risk 0.46cvss 7.1epss 0.00

    VMware Workstation (14.x before 14.1.0 and 12.x) and Horizon View Client (4.x before 4.7.0) contain an out-of-bounds read vulnerability in TPView.dll. On Workstation, this issue in conjunction with other bugs may allow a guest to leak information from host or may allow for a…

  • CVE-2017-16787MedDec 15, 2017
    risk 0.46cvss 6.5epss 0.07

    The Web Configuration Utility in Meinberg LANTIME devices with firmware before 6.24.004 allows remote attackers to read arbitrary files by leveraging failure to restrict URL access.