CWE-402
Transmission of Private Resources into a New Sphere ('Resource Leak')
Description
The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
Hierarchy (View 1000)
CVEs mapped to this weakness (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-48383 | Hig | 0.46 | 8.2 | 0.00 | May 27, 2025 | Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret access tokens across requests. This can allow users to access restricted query sets… | ||
| CVE-2017-8442 | Med | 0.42 | 6.5 | 0.01 | Jul 7, 2017 | Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an… | ||
| CVE-2025-49618 | Med | 0.38 | 5.8 | 0.00 | Jul 3, 2025 | In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint. | ||
| CVE-2025-52925 | Med | 0.33 | 5.0 | 0.00 | Jul 2, 2025 | In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812. | ||
| CVE-2025-55014 | Med | 0.31 | 4.7 | 0.00 | Aug 4, 2025 | The YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP. | ||
| CVE-2025-66422 | 0.00 | — | 0.00 | Nov 30, 2025 | Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | |||
| CVE-2025-29925 | 0.00 | — | 0.01 | Mar 19, 2025 | XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is… | |||
| CVE-2024-29900 | — | 0.00 | — | 0.01 | Mar 29, 2024 | Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final… | ||
| CVE-2023-38509 | 0.00 | — | 0.01 | Jul 27, 2023 | XWiki Platform is a generic wiki platform. In org.xwiki.platform:xwiki-platform-livetable-ui starting with version 3.5-milestone-1 and prior to versions 14.10.9 and 15.3-rc-1, the mail obfuscation configuration was not fully taken into account and is was still possible by… | |||
| CVE-2023-34467 | 0.00 | — | 0.01 | Jun 23, 2023 | XWiki Platform is a generic wiki platform. Starting in version 3.5-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, the mail obfuscation configuration was not fully taken into account. While the mail displayed to the end user was obfuscated, the rest response… | |||
| CVE-2021-23264 | 0.00 | — | 0.01 | Dec 2, 2021 | Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes. | |||
| CVE-2021-31407 | 0.00 | — | 0.02 | Apr 23, 2021 | Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request. |
- risk 0.46cvss 8.2epss 0.00
Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret access tokens across requests. This can allow users to access restricted query sets…
- risk 0.42cvss 6.5epss 0.01
Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an…
- risk 0.38cvss 5.8epss 0.00
In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.
- risk 0.33cvss 5.0epss 0.00
In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812.
- risk 0.31cvss 4.7epss 0.00
The YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP.
- CVE-2025-66422Nov 30, 2025risk 0.00cvss —epss 0.00
Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
- CVE-2025-29925Mar 19, 2025risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is…
- CVE-2024-29900Mar 29, 2024risk 0.00cvss —epss 0.01
Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final…
- CVE-2023-38509Jul 27, 2023risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform. In org.xwiki.platform:xwiki-platform-livetable-ui starting with version 3.5-milestone-1 and prior to versions 14.10.9 and 15.3-rc-1, the mail obfuscation configuration was not fully taken into account and is was still possible by…
- CVE-2023-34467Jun 23, 2023risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform. Starting in version 3.5-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, the mail obfuscation configuration was not fully taken into account. While the mail displayed to the end user was obfuscated, the rest response…
- CVE-2021-23264Dec 2, 2021risk 0.00cvss —epss 0.01
Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
- CVE-2021-31407Apr 23, 2021risk 0.00cvss —epss 0.02
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.