VYPR

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

BaseIncomplete

Description

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-170 · CAPEC-694

CVEs mapped to this weakness (213)

page 4 of 11
  • CVE-2023-4605MedApr 5, 2024
    risk 0.42cvss 6.5epss 0.00

    A valid authenticated Lenovo XClarity Administrator (LXCA) user can potentially leverage an unauthenticated API endpoint to retrieve system event information.

  • CVE-2026-9307MedJun 16, 2026
    risk 0.41cvss epss 0.00

    A sensitive information disclosure security issue exists within the affected CompactLogix controllers. The controller's web server exposes CIP Connection IDs on the diagnostics webpage, which are accessible to any unauthenticated user on the network. This information can…

  • CVE-2025-27403HigMar 11, 2025
    risk 0.40cvss epss 0.00

    Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to…

  • CVE-2025-4229MedJun 13, 2025
    risk 0.39cvss epss 0.00

    An information disclosure vulnerability in the SD-WAN feature of Palo Alto Networks PAN-OS® software enables an unauthorized user to view unencrypted data sent from the firewall through the SD-WAN interface. This requires the user to be able to intercept packets sent from the…

  • CVE-2025-0059MedJan 14, 2025
    risk 0.39cvss 6.0epss 0.00

    Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able…

  • CVE-2025-0056MedJan 14, 2025
    risk 0.39cvss 6.0epss 0.00

    SAP GUI for Java saves user input on the client PC to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the…

  • CVE-2025-0055MedJan 14, 2025
    risk 0.39cvss 6.0epss 0.00

    SAP GUI for Windows stores user input on the client PC to improve usability. Under very specific circumstances an attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the…

  • CVE-2022-50237MedJul 28, 2025
    risk 0.38cvss 5.9epss 0.00

    The ed25519-dalek crate before 2 for Rust allows a double public key signing function oracle attack. The Keypair implementation leads to a simple computation for extracting a private key.

  • CVE-2024-52321MedDec 23, 2024
    risk 0.38cvss 5.9epss 0.01

    Multiple SHARP routers contain an improper authentication vulnerability in the configuration backup function. The product's backup files containing sensitive information may be retrieved by a remote unauthenticated attacker.

  • CVE-2025-46747MedMay 12, 2025
    risk 0.37cvss 5.7epss 0.00

    An authenticated user without user-management permissions could identify other user accounts.

  • CVE-2026-0466MedJun 9, 2026
    risk 0.36cvss 5.5epss 0.00

    Improper access control in AMD uProf may allow a local attacker with user privileges to write to the kernel-shared memory section, potentially resulting in crash or denial of service.

  • CVE-2025-49419MedJun 6, 2025
    risk 0.36cvss 5.5epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in esigngenie Foxit eSign for WordPress esign-genie-for-wp allows Retrieve Embedded Sensitive Data.This issue affects Foxit eSign for WordPress: from n/a through <= 2.0.3.

  • CVE-2025-30170MedMay 22, 2025
    risk 0.36cvss 5.5epss 0.00

    Exposure of file path, file size or file existence vulnerabilities in ASPECT provide attackers access to file system information if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX…

  • CVE-2024-11029MedJan 15, 2025
    risk 0.36cvss 5.5epss 0.00

    A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl. As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative user credentials, including the administrator password, to the journal…

  • CVE-2024-22037MedNov 28, 2024
    risk 0.36cvss 5.5epss 0.00

    The uyuni-server-attestation systemd service needs a database_password environment variable. This file has 640 permission, and cannot be shown users, but the environment is still exposed by systemd to non-privileged users.

  • CVE-2025-32251MedApr 4, 2025
    risk 0.35cvss 5.3epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in J. Tyler Wiest Jetpack Feedback Exporter jetpack-feedback-exporter allows Retrieve Embedded Sensitive Data.This issue affects Jetpack Feedback Exporter: from n/a through <= 1.23.

  • CVE-2025-31832MedApr 1, 2025
    risk 0.35cvss 5.3epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Beee ACF City Selector acf-city-selector allows Retrieve Embedded Sensitive Data.This issue affects ACF City Selector: from n/a through <= 1.17.0.

  • CVE-2024-1809MedMay 2, 2024
    risk 0.35cvss 5.4epss 0.00

    The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage in all versions up to, and including,…

  • CVE-2026-49077MedJun 4, 2026
    risk 0.34cvss 5.3epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Tips and Tricks HQ WP eMember allows Retrieve Embedded Sensitive Data. This issue affects WP eMember: from n/a through v10.2.2.

  • CVE-2026-25468MedMay 7, 2026
    risk 0.34cvss 5.3epss 0.00

    Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs Happy Addons for Elementor allows Retrieve Embedded Sensitive Data. This issue affects Happy Addons for Elementor: from n/a through 3.20.8.