CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
ClassDraftLikelihood: High
Description
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79
CVEs mapped to this weakness (5,447)
page 7 of 273| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40885 | Hig | 0.57 | 8.8 | 0.00 | Apr 21, 2026 | goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6. | |
| CVE-2026-40498 | Cri | 0.57 | 9.8 | 0.00 | Apr 21, 2026 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY, which is exposed in the response and logs. Accessing these endpoints reveals sensitive server information (Full Path Disclosure), process IDs, and allows for Resource Exhaustion (DoS) by triggering heavy background tasks repeatedly without any rate limiting. The cron hash is generated using md5(APP_KEY . 'web_cron_hash'). Since this hash is often transmitted via GET requests, it is susceptible to exposure in server logs, browser history, and proxy logs. Furthermore, the lack of rate limiting on these endpoints allows for automated resource exhaustion (DoS) and brute-force attempts. Version 1.8.213 fixes the issue. | |
| CVE-2025-65957 | Hig | 0.57 | — | 0.00 | Nov 26, 2025 | Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys (SUPABASE_API_KEY, TOKEN) are loaded using environment variables, but there are cases in code (error handling, summaries, webhooks) where configuration summaries may inadvertently leak sensitive data (e.g., by failing to redact data in summary embeds or logs). This issue has been patched via commit dffe050. | |
| CVE-2025-65951 | Hig | 0.57 | 8.7 | 0.00 | Nov 25, 2025 | Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted bet ticket, allowing the house to decrypt immediately using fast proof verification instead of expensive VDF evaluation. This issue has been patched via commit 2d38d2f. | |
| CVE-2025-8915 | Hig | 0.57 | — | 0.00 | Oct 13, 2025 | Hardcoded TLS private key and certificate in firmware in Kiloview N30 2.02.246 allows malicious adversary to do a Mann-in-the-middle attack via the network | |
| CVE-2025-40645 | Hig | 0.57 | — | 0.00 | Oct 2, 2025 | Exposure of sensitive information in Viday. This vulnerability could allow an unauthenticated attacker to obtain sensitive information about customers by sending an HTTP GET request to “/api/reserva/web/clients” using the “phone” parameter. | |
| CVE-2023-49367 | Hig | 0.57 | 8.8 | 0.00 | Sep 18, 2025 | An issue in user interface in Kyocera Command Center RX EXOSYS M5521cdn allows remote to obtain sensitive information via inspecting sent packages by user. | |
| CVE-2025-36759 | Hig | 0.57 | — | 0.00 | Sep 10, 2025 | Through the provision of user names, SolaX Cloud will suggest (similar) user accounts and thereby leak sensitive information such as user email addresses and phone numbers. | |
| CVE-2025-7654 | Hig | 0.57 | 8.8 | 0.00 | Aug 19, 2025 | Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site users, which may make privilege escalation possible. Please note both FunnelKit – Funnel Builder for WooCommerce Checkout AND FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce are affected by this. | |
| CVE-2020-36850 | Hig | 0.57 | — | 0.00 | Jul 25, 2025 | An information disclosure vulnerability exits in Sitecore JSS React Sample Application 11.0.0 - 14.0.1 that may cause page content intended for one user to be shown to another user. | |
| CVE-2025-34130 | Hig | 0.57 | — | 0.02 | Jul 16, 2025 | An unauthenticated arbitrary file read exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the /z/zbin/net_html.cgi endpoint. This vulnerability allows attackers to read sensitive configuration files, such as /zconf/service.xml, which can then be used to facilitate further attacks including command injection. The vulnerability has been exploited in the wild in conjunction with other issues by botnets like FBot and Moobot. | |
| CVE-2025-34059 | Hig | 0.57 | — | 0.01 | Jul 1, 2025 | An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC. | |
| CVE-2025-32958 | Cri | 0.57 | 9.8 | 0.00 | Apr 21, 2025 | Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in the AdeptLanguage/Adept repository. This issue has been patched in commit a1a41b7. | |
| CVE-2024-8326 | Hig | 0.57 | 8.8 | 0.01 | Dec 17, 2024 | The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 241114 via the 'sc_get_details' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including user data and database configuration information, which can lead to reading, updating, or dropping database tables. The vulnerability was partially patched in version 241114. | |
| CVE-2024-55946 | Hig | 0.57 | — | 0.00 | Dec 13, 2024 | Playloom Engine is an open-source, high-performance game development engine. Engine Beta v0.0.1 has a security vulnerability related to data storage, specifically when using the collaboration features. When collaborating with another user, they may have access to personal information you have entered into the software. This poses a risk to user privacy. The maintainers of Playloom Engine have temporarily disabled the collaboration feature until a fix can be implemented. When Engine Beta v0.0.2 is released, it is expected to contain a patch addressing this issue. Users should refrain from using the collaboration feature in the meantime. | |
| CVE-2024-55875 | Cri | 0.57 | 9.8 | 0.07 | Dec 12, 2024 | http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. Version 5.41.0.0 contains a patch for the issue. | |
| CVE-2024-25917 | Hig | 0.57 | 8.8 | 0.00 | Apr 25, 2024 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in CodeRevolution WP Setup Wizard.This issue affects WP Setup Wizard: from n/a through 1.0.8.1. | |
| CVE-2017-17692 | Hig | 0.57 | 7.5 | 0.68 | Dec 21, 2017 | Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that redirects to a child tab and rewrites the innerHTML property. | |
| CVE-2017-17476 | Hig | 0.57 | 8.8 | 0.01 | Dec 20, 2017 | Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email. | |
| CVE-2017-15700 | Hig | 0.57 | 8.8 | 0.00 | Dec 18, 2017 | A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over their credentials. |