VYPR

CWE-402

Transmission of Private Resources into a New Sphere ('Resource Leak')

ClassDraft

Description

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

Hierarchy (View 1000)

Parents

CVEs mapped to this weakness (12)

  • CVE-2025-48383HigMay 27, 2025
    risk 0.46cvss 8.2epss 0.00

    Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret access tokens across requests. This can allow users to access restricted query sets…

  • CVE-2017-8442MedJul 7, 2017
    risk 0.42cvss 6.5epss 0.01

    Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an…

  • CVE-2025-49618MedJul 3, 2025
    risk 0.38cvss 5.8epss 0.00

    In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

  • CVE-2025-52925MedJul 2, 2025
    risk 0.33cvss 5.0epss 0.00

    In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812.

  • CVE-2025-55014MedAug 4, 2025
    risk 0.31cvss 4.7epss 0.00

    The YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP.

  • CVE-2025-66422Nov 30, 2025
    risk 0.00cvss epss 0.00

    Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

  • CVE-2025-29925Mar 19, 2025
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is…

  • CVE-2024-29900Mar 29, 2024
    risk 0.00cvss epss 0.01

    Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final…

  • CVE-2023-38509Jul 27, 2023
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. In org.xwiki.platform:xwiki-platform-livetable-ui starting with version 3.5-milestone-1 and prior to versions 14.10.9 and 15.3-rc-1, the mail obfuscation configuration was not fully taken into account and is was still possible by…

  • CVE-2023-34467Jun 23, 2023
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 3.5-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, the mail obfuscation configuration was not fully taken into account. While the mail displayed to the end user was obfuscated, the rest response…

  • CVE-2021-23264Dec 2, 2021
    risk 0.00cvss epss 0.01

    Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.

  • CVE-2021-31407Apr 23, 2021
    risk 0.00cvss epss 0.02

    Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.