CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
BaseIncomplete
Description
The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-170 · CAPEC-694
CVEs mapped to this weakness (184)
page 3 of 10| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-67954 | Med | 0.42 | 6.5 | 0.00 | Jan 22, 2026 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Retrieve Embedded Sensitive Data.This issue affects Salon booking system: from n/a through <= 10.30.3. | |
| CVE-2025-68551 | Med | 0.42 | 6.5 | 0.00 | Dec 23, 2025 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vikas Ratudi VPSUForm v-form allows Retrieve Embedded Sensitive Data.This issue affects VPSUForm: from n/a through <= 3.2.24. | |
| CVE-2025-67546 | Med | 0.42 | 6.5 | 0.00 | Dec 18, 2025 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs WP ERP erp allows Retrieve Embedded Sensitive Data.This issue affects WP ERP: from n/a through <= 1.16.6. | |
| CVE-2025-64272 | Med | 0.42 | 6.5 | 0.00 | Dec 18, 2025 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in GetResponse Email marketing for WordPress by GetResponse Official getresponse-official allows Retrieve Embedded Sensitive Data.This issue affects Email marketing for WordPress by GetResponse Official: from n/a through <= 1.5.3. | |
| CVE-2025-64270 | Med | 0.42 | 6.5 | 0.00 | Dec 18, 2025 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in masteriyo Masteriyo - LMS learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects Masteriyo - LMS: from n/a through <= 2.0.3. | |
| CVE-2025-49914 | Med | 0.42 | 6.5 | 0.00 | Dec 18, 2025 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows Retrieve Embedded Sensitive Data.This issue affects Restaurant Menu by MotoPress: from n/a through <= 2.4.7. | |
| CVE-2025-52752 | Med | 0.42 | 6.5 | 0.00 | Oct 22, 2025 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeAtelier IDonatePro idonate-pro allows Retrieve Embedded Sensitive Data.This issue affects IDonatePro: from n/a through <= 2.1.9. | |
| CVE-2025-32164 | Med | 0.42 | 6.5 | 0.00 | Apr 8, 2025 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in maennchen1.de m1.DownloadList m1downloadlist allows Retrieve Embedded Sensitive Data.This issue affects m1.DownloadList: from n/a through <= 0.24. | |
| CVE-2024-53814 | Med | 0.42 | 6.5 | 0.01 | Dec 9, 2024 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Adnan Analytify wp-analytify.This issue affects Analytify: from n/a through <= 5.4.3. | |
| CVE-2024-50425 | Med | 0.42 | 6.5 | 0.01 | Oct 29, 2024 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Roland Murg WP Booking System wp-booking-system.This issue affects WP Booking System: from n/a through <= 2.0.19.10. | |
| CVE-2024-36070 | Hig | 0.42 | 7.5 | 0.00 | May 19, 2024 | tine before 2023.11.8, when an LDAP backend is used, allows anonymous remote attackers to obtain sensitive authentication information via setup.php because of getRegistryData in Setup/Frontend/Json.php. (An update is also available for the 2022.11 series.) | |
| CVE-2023-4605 | Med | 0.42 | 6.5 | 0.00 | Apr 5, 2024 | A valid authenticated Lenovo XClarity Administrator (LXCA) user can potentially leverage an unauthenticated API endpoint to retrieve system event information. | |
| CVE-2025-4229 | Med | 0.39 | — | 0.00 | Jun 13, 2025 | An information disclosure vulnerability in the SD-WAN feature of Palo Alto Networks PAN-OS® software enables an unauthorized user to view unencrypted data sent from the firewall through the SD-WAN interface. This requires the user to be able to intercept packets sent from the firewall. Cloud NGFW and Prisma® Access are not affected by this vulnerability. | |
| CVE-2025-0059 | Med | 0.39 | 6.0 | 0.00 | Jan 14, 2025 | Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application. | |
| CVE-2025-0056 | Med | 0.39 | 6.0 | 0.00 | Jan 14, 2025 | SAP GUI for Java saves user input on the client PC to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application. | |
| CVE-2025-0055 | Med | 0.39 | 6.0 | 0.00 | Jan 14, 2025 | SAP GUI for Windows stores user input on the client PC to improve usability. Under very specific circumstances an attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application. | |
| CVE-2022-50237 | Med | 0.38 | 5.9 | 0.00 | Jul 28, 2025 | The ed25519-dalek crate before 2 for Rust allows a double public key signing function oracle attack. The Keypair implementation leads to a simple computation for extracting a private key. | |
| CVE-2024-52321 | Med | 0.38 | 5.9 | 0.00 | Dec 23, 2024 | Multiple SHARP routers contain an improper authentication vulnerability in the configuration backup function. The product's backup files containing sensitive information may be retrieved by a remote unauthenticated attacker. | |
| CVE-2025-46747 | Med | 0.37 | 5.7 | 0.00 | May 12, 2025 | An authenticated user without user-management permissions could identify other user accounts. | |
| CVE-2025-49419 | Med | 0.36 | 5.5 | 0.00 | Jun 6, 2025 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in esigngenie Foxit eSign for WordPress esign-genie-for-wp allows Retrieve Embedded Sensitive Data.This issue affects Foxit eSign for WordPress: from n/a through <= 2.0.3. |