VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 74 of 366
  • CVE-2021-39192MedSep 3, 2021
    risk 0.42cvss 6.5epss 0.01

    Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege…

  • CVE-2021-32717HigJun 24, 2021
    risk 0.42cvss 7.5epss 0.01

    Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the…

  • CVE-2021-20228HigApr 29, 2021
    risk 0.42cvss 7.5epss 0.02

    A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from…

  • CVE-2020-7763HigNov 5, 2020
    risk 0.42cvss 7.5epss 0.02

    This affects the package phantom-html-to-pdf before 0.6.1.

  • CVE-2020-6164HigJul 15, 2020
    risk 0.42cvss 7.5epss 0.02

    In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL…

  • CVE-2016-11066HigJun 19, 2020
    risk 0.42cvss 7.5epss 0.01

    An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.

  • CVE-2020-4045HigJun 11, 2020
    risk 0.42cvss 7.5epss 0.01

    SSB-DB version 20.0.0 has an information disclosure vulnerability. The get() method is supposed to only decrypt messages when you explicitly ask it to, but there is a bug where it's decrypting any message that it can. This means that it is returning the decrypted content of…

  • CVE-2020-13444MedJun 10, 2020
    risk 0.42cvss 6.5epss 0.02

    Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 5 does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers.

  • CVE-2020-13223HigJun 10, 2020
    risk 0.42cvss 7.5epss 0.01

    HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.

  • CVE-2020-8151HigMay 12, 2020
    risk 0.42cvss 7.5epss 0.02

    There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.

  • CVE-2020-11009MedApr 29, 2020
    risk 0.42cvss 6.5epss 0.01

    In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high…

  • CVE-2020-1942HigFeb 11, 2020
    risk 0.42cvss 7.5epss 0.03

    In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and…

  • CVE-2020-1932MedJan 28, 2020
    risk 0.42cvss 6.5epss 0.01

    An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.

  • CVE-2019-10195MedNov 27, 2019
    risk 0.42cvss 6.5epss 0.01

    A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch…

  • CVE-2011-4901MedNov 6, 2019
    risk 0.42cvss 6.5epss 0.01

    TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to extract arbitrary information from the TYPO3 database.

  • CVE-2011-4900MedNov 6, 2019
    risk 0.42cvss 6.5epss 0.01

    TYPO3 before 4.5.4 allows Information Disclosure in the backend.

  • CVE-2011-4627MedNov 6, 2019
    risk 0.42cvss 6.5epss 0.01

    TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows Information Disclosure on the backend.

  • CVE-2010-3664MedNov 4, 2019
    risk 0.42cvss 6.5epss 0.01

    TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Information Disclosure on the backend.

  • CVE-2019-10407MedSep 25, 2019
    risk 0.42cvss 6.5epss 0.01

    Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin.

  • CVE-2018-21019HigSep 23, 2019
    risk 0.42cvss 7.5epss 0.02

    Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py.