VYPR

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

ClassDraftLikelihood: High

Description

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79

CVEs mapped to this weakness (7,319)

page 93 of 366
  • CVE-2025-55008HigAug 9, 2025
    risk 0.39cvss 7.1epss 0.00

    The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession…

  • CVE-2025-54586HigJul 30, 2025
    risk 0.39cvss 7.1epss 0.00

    GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up…

  • CVE-2025-4426MedJul 30, 2025
    risk 0.39cvss 6.0epss 0.00

    The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability.  https://support.lenovo.com/us/en/product_security/home

  • CVE-2025-46820HigMay 6, 2025
    risk 0.39cvss 7.1epss 0.00

    phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory,…

  • CVE-2024-47779HigOct 15, 2024
    risk 0.39cvss epss 0.00

    Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been…

  • CVE-2024-47771HigOct 15, 2024
    risk 0.39cvss epss 0.01

    Element Desktop is a Matrix client for desktop platforms. Element Desktop versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified…

  • CVE-2014-5245higMay 30, 2024
    risk 0.39cvss epss 0.01

    All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application. This issue has been fixed in Symfony…

  • CVE-2024-24898MedApr 15, 2024
    risk 0.39cvss 6.0epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in openEuler kernel on Linux allows Resource Leak Exposure. This vulnerability is associated with program files https://gitee.Com/openeuler/kernel/blob/openEuler-1.0-LTS/drivers/staging/gmjstcm/tcm.C. This…

  • CVE-2024-24891MedApr 15, 2024
    risk 0.39cvss 6.0epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in openEuler kernel on Linux allows Resource Leak Exposure. This vulnerability is associated with program files https://gitee.Com/openeuler/kernel/blob/openEuler-1.0-LTS/drivers/staging/gmjstcm/tcm.C. This…

  • CVE-2024-25121HigFeb 13, 2024
    risk 0.39cvss 7.1epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage…

  • CVE-2023-47630HigNov 14, 2023
    risk 0.39cvss 7.1epss 0.00

    Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The…

  • CVE-2022-0588HigFeb 15, 2022
    risk 0.39cvss 7.1epss 0.01

    Missing Authorization in Packagist librenms/librenms prior to 22.2.0.

  • CVE-2021-41355MedOct 13, 2021
    risk 0.39cvss 5.7epss 0.20

    .NET Core and Visual Studio Information Disclosure Vulnerability

  • CVE-2020-1926MedMar 16, 2021
    risk 0.39cvss 5.9epss 0.02

    Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8

  • CVE-2020-10750HigJun 19, 2020
    risk 0.39cvss 7.1epss 0.00

    Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials.

  • CVE-2018-8023MedSep 21, 2018
    risk 0.39cvss 5.9epss 0.03

    Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is…

  • CVE-2018-8444MedSep 13, 2018
    risk 0.39cvss 5.9epss 0.06

    An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 2.0 (SMBv2) server handles certain requests, aka "Windows SMB Information Disclosure Vulnerability." This affects Windows Server 2012, Windows 10, Windows 8.1, Windows RT 8.1,…

  • CVE-2018-1755MedAug 24, 2018
    risk 0.39cvss 5.9epss 0.03

    IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is…

  • CVE-2018-1546MedJul 6, 2018
    risk 0.39cvss 5.9epss 0.02

    IBM API Connect 5.0.0.0 through 5.0.8.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle…

  • CVE-2018-5131MedJun 11, 2018
    risk 0.39cvss 5.9epss 0.02

    Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network as it should. This can result in previously stored, locally cached data of a…