CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Description
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79
CVEs mapped to this weakness (7,319)
page 64 of 366| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-0281 | Hig | 0.43 | 7.5 | 0.12 | Jan 20, 2022 | Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11. | ||
| CVE-2021-23386 | — | Hig | 0.43 | 7.7 | 0.01 | May 20, 2021 | This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names. | |
| CVE-2020-13405 | — | Hig | 0.43 | 7.5 | 0.14 | Jul 16, 2020 | userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request. | |
| CVE-2020-5251 | Hig | 0.43 | 7.7 | 0.01 | Mar 4, 2020 | In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way. | ||
| CVE-2019-0746 | Med | 0.43 | 6.5 | 0.07 | Apr 9, 2019 | An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge, aka 'Scripting Engine Information Disclosure Vulnerability'. | ||
| CVE-2018-8424 | Med | 0.43 | 6.5 | 0.13 | Sep 13, 2018 | An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows… | ||
| CVE-2018-8422 | Med | 0.43 | 6.5 | 0.06 | Sep 13, 2018 | An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8424. | ||
| CVE-2018-8398 | Med | 0.43 | 6.5 | 0.08 | Aug 15, 2018 | An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows… | ||
| CVE-2018-8394 | Med | 0.43 | 6.5 | 0.08 | Aug 15, 2018 | An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows… | ||
| CVE-2018-8305 | Med | 0.43 | 6.5 | 0.08 | Jul 11, 2018 | An information disclosure vulnerability exists in Windows Mail Client when a message is opened, aka "Windows Mail Client Information Disclosure Vulnerability." This affects Mail, Calendar, and People in Windows 8.1 App Store. | ||
| CVE-2018-8160 | Med | 0.43 | 6.5 | 0.08 | May 9, 2018 | An information disclosure vulnerability exists in Outlook when a message is opened, aka "Microsoft Outlook Information Disclosure Vulnerability." This affects Word, Microsoft Office. | ||
| CVE-2018-4117 | Med | 0.43 | 6.5 | 0.03 | Apr 3, 2018 | An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. watchOS before 4.3 is affected. The issue involves the fetch API in the "WebKit"… | ||
| CVE-2017-5795 | Med | 0.43 | 6.5 | 0.03 | Feb 15, 2018 | A Local Arbitrary File Download vulnerability in HPE Intelligent Management Center (IMC) version PLAT 7.2 E0403P06 was found. | ||
| CVE-2017-12555 | Med | 0.43 | 6.5 | 0.03 | Feb 15, 2018 | A remote arbitrary file download and disclosure of information vulnerability in HPE Intelligent Management Center (iMC) Service Operation Management (SOM) version IMC SOM 7.3 E0501 was found. | ||
| CVE-2017-16596 | Med | 0.43 | 6.5 | 0.03 | Jan 23, 2018 | This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be… | ||
| CVE-2017-16595 | Med | 0.43 | 6.5 | 0.03 | Jan 23, 2018 | This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be… | ||
| CVE-2017-16592 | Med | 0.43 | 6.5 | 0.03 | Jan 23, 2018 | This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be… | ||
| CVE-2017-16591 | Med | 0.43 | 6.5 | 0.03 | Jan 23, 2018 | This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of NetGain Systems Enterprise Manager 7.2.699 build 1001. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be… | ||
| CVE-2017-5754 | — | Med | 0.43 | 5.6 | 0.84 | Jan 4, 2018 | Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. | |
| CVE-2017-11939 | Med | 0.43 | 6.5 | 0.06 | Dec 12, 2017 | Microsoft Office 2016 Click-to-Run (C2R) allows an information disclosure vulnerability due to the way Microsoft Office enforces DRM copy/paste permissions, aka "Microsoft Office Information Disclosure Vulnerability". |
- risk 0.43cvss 7.5epss 0.12
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
- risk 0.43cvss 7.7epss 0.01
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
- risk 0.43cvss 7.5epss 0.14
userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request.
- risk 0.43cvss 7.7epss 0.01
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.
- risk 0.43cvss 6.5epss 0.07
An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge, aka 'Scripting Engine Information Disclosure Vulnerability'.
- risk 0.43cvss 6.5epss 0.13
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows…
- risk 0.43cvss 6.5epss 0.06
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8424.
- risk 0.43cvss 6.5epss 0.08
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows…
- risk 0.43cvss 6.5epss 0.08
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows…
- risk 0.43cvss 6.5epss 0.08
An information disclosure vulnerability exists in Windows Mail Client when a message is opened, aka "Windows Mail Client Information Disclosure Vulnerability." This affects Mail, Calendar, and People in Windows 8.1 App Store.
- risk 0.43cvss 6.5epss 0.08
An information disclosure vulnerability exists in Outlook when a message is opened, aka "Microsoft Outlook Information Disclosure Vulnerability." This affects Word, Microsoft Office.
- risk 0.43cvss 6.5epss 0.03
An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. watchOS before 4.3 is affected. The issue involves the fetch API in the "WebKit"…
- risk 0.43cvss 6.5epss 0.03
A Local Arbitrary File Download vulnerability in HPE Intelligent Management Center (IMC) version PLAT 7.2 E0403P06 was found.
- risk 0.43cvss 6.5epss 0.03
A remote arbitrary file download and disclosure of information vulnerability in HPE Intelligent Management Center (iMC) Service Operation Management (SOM) version IMC SOM 7.3 E0501 was found.
- risk 0.43cvss 6.5epss 0.03
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be…
- risk 0.43cvss 6.5epss 0.03
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be…
- risk 0.43cvss 6.5epss 0.03
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of NetGain Systems Enterprise Manager 7.2.730 build 1034. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be…
- risk 0.43cvss 6.5epss 0.03
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of NetGain Systems Enterprise Manager 7.2.699 build 1001. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be…
- risk 0.43cvss 5.6epss 0.84
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
- risk 0.43cvss 6.5epss 0.06
Microsoft Office 2016 Click-to-Run (C2R) allows an information disclosure vulnerability due to the way Microsoft Office enforces DRM copy/paste permissions, aka "Microsoft Office Information Disclosure Vulnerability".