VYPR

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

BaseIncomplete

Description

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-170 · CAPEC-694

CVEs mapped to this weakness (213)

page 1 of 11
  • CVE-2025-10264CriSep 12, 2025
    risk 0.65cvss 10.0epss 0.00

    Certain models of NVR developed by Digiever has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remoter attackers to access the system configuration file and obtain plaintext credentials of the NVR and its connected cameras.

  • CVE-2025-47699CriOct 23, 2025
    risk 0.64cvss 9.9epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices. This issue affects Command Centre…

  • CVE-2025-6561CriJun 26, 2025
    risk 0.64cvss 9.8epss 0.00

    Certain hybrid DVR models ((HBF-09KD and HBF-16NK)) from Hunt Electronic have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials.

  • CVE-2025-5893CriJun 9, 2025
    risk 0.64cvss 9.8epss 0.00

    Smart Parking Management System from Honding Technology has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access a specific page and obtain plaintext administrator credentials.

  • CVE-2025-1144CriFeb 11, 2025
    risk 0.64cvss 9.8epss 0.00

    School Affairs System from Quanxun has an Exposure of Sensitive Information, allowing unauthenticated attackers to view specific pages and obtain database information as well as plaintext administrator credentials.

  • CVE-2024-36554CriFeb 6, 2025
    risk 0.64cvss 9.8epss 0.00

    Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allow a malicious user to gain information about the device by sending an SMS to the device which returns…

  • CVE-2025-11545CriDec 22, 2025
    risk 0.62cvss epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sharp Display Solutions projectors allows a attacker may improperly access the HTTP server and execute arbitrary actions.

  • CVE-2025-59098HigJan 26, 2026
    risk 0.57cvss epss 0.00

    The Access Manager is offering a trace functionality to debug errors and issues with the device. The trace functionality is implemented as a simple TCP socket. A tool called TraceClient.exe, provided by dormakaba via the Access Manager web interface, is used to connect to the…

  • CVE-2022-4985HigNov 14, 2025
    risk 0.57cvss epss 0.00

    Vodafone H500s devices running firmware v3.5.10 (hardware model Sercomm VFH500) expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve…

  • CVE-2025-12779HigNov 5, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, a local user may be…

  • CVE-2025-4364HigMay 20, 2025
    risk 0.57cvss epss 0.00

    The affected products could allow an unauthenticated attacker to access system information that could enable further access to sensitive files and obtain administrative credentials.

  • CVE-2024-8313HigMar 25, 2025
    risk 0.57cvss epss 0.00

    An Exposure of Sensitive System Information to an Unauthorized Control Sphere and Initialization of a Resource with an Insecure Default vulnerability in the SNMP component of B&R APROL <4.4-00P5 may allow an unauthenticated adjacent-based attacker to read and alter configuration…

  • CVE-2024-39675HigJul 9, 2024
    risk 0.57cvss 8.8epss 0.00

    A vulnerability has been identified in RUGGEDCOM RMC30 (All versions < V4.3.10), RUGGEDCOM RMC30NC (All versions < V4.3.10), RUGGEDCOM RP110 (All versions < V4.3.10), RUGGEDCOM RP110NC (All versions < V4.3.10), RUGGEDCOM RS400 (All versions < V4.3.10), RUGGEDCOM RS400NC (All…

  • CVE-2026-42047HigMay 7, 2026
    risk 0.56cvss 8.6epss 0.00

    Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfiltrate environment variables from the host…

  • CVE-2026-24222HigApr 28, 2026
    risk 0.56cvss 8.6epss 0.00

    NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that causes the agent to read and exfiltrate host environment variables not properly…

  • CVE-2024-12367HigSep 16, 2025
    risk 0.56cvss 8.6epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vegagrup Software Vega Master allows Directory Indexing. This issue affects Vega Master: from v.1.12.35 through 20250916.  NOTE: The vendor did not inform about the completion of the…

  • CVE-2025-9986HigFeb 11, 2026
    risk 0.53cvss 8.2epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate Information Systems Ltd. Co. DIGIKENT allows Excavation. This issue affects DIGIKENT: through 13092025.

  • CVE-2025-11151HigOct 21, 2025
    risk 0.53cvss 8.2epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Beyaz Bilgisayar Software Design Industry and Trade Ltd. Co. CityPLus allows Detect Unpublicized Web Pages. This issue affects…

  • CVE-2025-32792HigApr 18, 2025
    risk 0.50cvss epss 0.00

    SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses` and the Compartment API to evaluate third-party code in an isolated execution…

  • CVE-2026-52694HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions.