CWE-200— Exposure of Sensitive Information to an Unauthorized Actor
8,715 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-200page 109 of 175
- CVE-2021-4377MEDIUMCVSS 6.5EG 6.52023-06-07
The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmm_export_donations() function which is called via the admin_post_dmm_export hook due to missing capabili…
- CVE-2021-43792MEDIUMCVSS 4.3EG 4.32021-12-01
Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) …
- CVE-2021-43823MEDIUMCVSS 6.5EG 6.52021-12-13
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue aff…
- CVE-2021-43937HIGHCVSS 7.6EG 8.82022-04-29
Elcomplus SmartPTT SCADA Server web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- CVE-2021-43938HIGHCVSS 8.1EG 9.82022-04-29
Elcomplus SmartPTT SCADA Server is vulnerable to an unauthenticated user can request various files from the server without any authentication or authorization.
- CVE-2021-43949MEDIUMCVSS 4.3EG 4.32022-01-10
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature. The affected versions are be…
- CVE-2021-43951MEDIUMCVSS 4.3EG 4.32022-01-10
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view object import configuration details via an Information Disclosure vulnerability in the Create Object type mapping fe…
- CVE-2021-43963HIGHCVSS 8.1EG 8.12021-12-07
An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. The bucket credentials used to read and write data in Couchbase Server were insecurely being stored in the metadata within sync documents written to the bucket. Users w…
- CVE-2021-44141MEDIUMCVSS 4.3EG 4.32022-02-21
All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix exten…
- CVE-2021-44145MEDIUMCVSS 6.5EG 6.52021-12-17
In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.
- CVE-2021-44172MEDIUMCVSS 4.3EG 4.32023-09-13
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiClientEMS versions 7.0.0 through 7.0.4, 7.0.6 through 7.0.7, in all 6.4 and 6.2 version management interface may allow an unauthenticated attacke…
- CVE-2021-4428LOWCVSS 2.7EG 2.72023-07-18
A vulnerability has been found in what3words Autosuggest Plugin up to 4.0.0 on WordPress and classified as problematic. Affected by this vulnerability is the function enqueue_scripts of the file w3w-autosuggest/public/class-w3w-autosuggest…
- CVE-2021-4430LOWCVSS 3.5EG 3.52023-11-06
A vulnerability classified as problematic has been found in Ortus Solutions ColdBox Elixir 3.1.6. This affects an unknown part of the file src/defaultConfig.js of the component ENV Variable Handler. The manipulation leads to information di…
- CVE-2021-44534MEDIUMCVSS 6.5EG 6.52024-05-31
Insufficient user input filtering leads to arbitrary file read by non-authenticated attacker, which results in sensitive information disclosure.
- CVE-2021-44692MEDIUMCVSS 5.3EG 5.32022-01-26
BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and perio…
- CVE-2021-44702MEDIUMCVSS 4.3EG 4.32022-01-14
Acrobat Reader DC ActiveX Control versions 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by an Information Disclosure vulnerability. An unauthenticated attacker could leverage this vulne…
- CVE-2021-44739MEDIUMCVSS 4.3EG 4.32022-01-14
Acrobat Reader DC ActiveX Control versions 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by an Information Disclosure vulnerability. An unauthenticated attacker could leverage this vulne…
- CVE-2021-45038MEDIUMCVSS 5.3EG 5.32021-12-17
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. By using an action=rollback query, attackers can view private wiki contents.
- CVE-2021-45095MEDIUMCVSS 5.5EG 5.52021-12-16
pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.
- CVE-2021-45310MEDIUMCVSS 5.3EG 5.32022-02-14
Sangoma Technologies Corporation Switchvox Version 102409 is affected by an information disclosure vulnerability due to an improper access restriction. Users information such as first name, last name, acount id, server uuid, email address,…
- CVE-2021-45420CRITICALCVSS 9.8EG 9.82022-02-14
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system withou…
- CVE-2021-45421HIGHCVSS 7.5EG 7.52022-02-14
Emerson Dixell XWEB-500 products are affected by information disclosure via directory listing. A potential attacker can use this misconfiguration to access all the files in the remote directories. Note: the product has not been supported s…
- CVE-2021-45475MEDIUMCVSS 5.3EG 7.52022-10-27
Yordam Library Information Document Automation product before version 19.02 has an unauthenticated Information disclosure vulnerability.
- CVE-2021-45493HIGHCVSS 7.6EG 7.62021-12-26
Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects RAX35 before 1.0.4.102, RAX38 before 1.0.4.102, and RAX40 before 1.0.4.102.
- CVE-2021-45603MEDIUMCVSS 6.1EG 6.12021-12-26
Certain NETGEAR devices are affected by disclosure of sensitive information. A UPnP request reveals a device's serial number, which can be used for a password reset. This affects D7800 before 1.0.1.66, EX2700 before 1.0.1.68, WN3000RPv2 be…
- CVE-2021-45646MEDIUMCVSS 5.3EG 5.32021-12-26
NETGEAR R7000 devices before 1.0.11.116 are affected by disclosure of sensitive information.
- CVE-2021-45647MEDIUMCVSS 6.5EG 6.52021-12-26
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects EAX80 before 1.0.1.62, EX7000 before 1.0.1.104, R6120 before 1.0.0.76, R6220 before 1.1.0.110, R6230 before 1.1.0.110, R6260 before 1.1.0.78, R6850 b…
- CVE-2021-45648LOWCVSS 3.1EG 3.12021-12-26
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects EX6100v2 before 1.0.1.106, EX6150v2 before 1.0.1.106, EX6250 before 1.0.0.146, EX6400 before 1.0.2.164, EX6400v2 before 1.0.0.146, EX6410 before 1.0.…
- CVE-2021-45649HIGHCVSS 7.9EG 7.92021-12-26
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects R6400v2 before 1.0.4.84, R6700v3 before 1.0.4.84, R7000 before 1.0.11.126, R6900P before 1.3.2.126, and R7000P before 1.3.2.126.
- CVE-2021-45650CRITICALCVSS 9.1EG 9.12021-12-26
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects R7000 before 1.0.11.110, R7900 before 1.0.4.30, R8000 before 1.0.4.62, RS400 before 1.5.1.80, R6400v2 before 1.0.4.102, R7000P before 1.3.2.126, R670…
- CVE-2021-45651HIGHCVSS 7.4EG 7.42021-12-26
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects RBK50 before 2.7.3.22, RBR50 before 2.7.3.22, and RBS50 before 2.7.3.22.
- CVE-2021-45652CRITICALCVSS 9.6EG 9.62021-12-26
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects RBK352 before 4.4.0.10, RBR350 before 4.4.0.10, and RBS350 before 4.4.0.10.
- CVE-2021-45653LOWCVSS 3.9EG 3.92021-12-26
Certain NETGEAR devices are affected by disclosure of sensitive information. This affects RBK352 before 4.4.0.10, RBR350 before 4.4.0.10, and RBS350 before 4.4.0.10.
- CVE-2021-45654CRITICALCVSS 9.6EG 9.62021-12-26
NETGEAR XR1000 devices before 1.0.0.58 are affected by disclosure of sensitive information.
- CVE-2021-45884HIGHCVSS 7.5EG 7.52021-12-27
In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based adblocking and a proxying extension with a SOCKS fallback are enabled, additional DNS requests are issued outside of the proxying extension using the system's DNS setting…
- CVE-2021-46148MEDIUMCVSS 6.5EG 6.52022-01-10
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. Some unprivileged users can view confidential information (e.g., IP addresses and User-Agent headers for election traffic) on a testwiki Se…
- CVE-2021-46166MEDIUMCVSS 6.5EG 6.52022-01-10
Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated users to obtain sensitive information from the database by visiting the Reports page.
- CVE-2021-46841MEDIUMCVSS 5.9EG 5.92023-02-27
This issue was addressed by using HTTPS when sending information over the network. This issue is fixed in Apple Music 3.5.0 for Android. An attacker in a privileged network position can track a user's activity.
- CVE-2021-46891CRITICALCVSS 9.8EG 9.82023-07-05
Vulnerability of incomplete read and write permission verification in the GPU module. Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability.
- CVE-2021-47403HIGHCVSS 7.1EG 7.12024-05-21
In the Linux kernel, the following vulnerability has been resolved: ipack: ipoctal: fix module reference leak A reference to the carrier module was taken on every open but was only released once when the final reference to the tty struct…
- CVE-2022-0013MEDIUMCVSS 5.0EG 5.02022-01-12
A file information exposure vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local attacker to read the contents of arbitrary files on the system with elevated privileges when generating a support file. This i…
- CVE-2022-0018MEDIUMCVSS 6.1EG 6.12022-02-10
An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows and MacOS where the credentials of the local user account are sent to the GlobalProtect portal when the Single Sign-On feature is enabled i…
- CVE-2022-0093LOWCVSS 3.5EG 4.32022-01-18
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab allows a user with an expired password to access sensitive information through RSS feeds.
- CVE-2022-0121HIGHCVSS 8.0EG 8.02022-01-06
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hoppscotch hoppscotch/hoppscotch.This issue affects hoppscotch/hoppscotch before 2.1.1.
- CVE-2022-0140MEDIUMCVSS 5.3EG 5.32022-04-12
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.
- CVE-2022-0235MEDIUMCVSS 6.1EG 6.12022-01-16
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
- CVE-2022-0281HIGHCVSS 7.5EG 7.52022-01-20
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
- CVE-2022-0287MEDIUMCVSS 4.3EG 4.32022-04-25
The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog
- CVE-2022-0331MEDIUMCVSS 5.3EG 5.32022-03-29
An information disclosure vulnerability in Webadmin allows an unauthenticated remote attacker to read the device serial number in Sophos Firewall version v18.5 MR2 and older.
- CVE-2022-0345MEDIUMCVSS 4.3EG 4.32022-02-28
The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (findin…
Map vulnerabilities like CWE-200 to your infrastructure
EchelonGraph correlates every CVE — across CWE-200 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →