CWE-200— Exposure of Sensitive Information to an Unauthorized Actor
8,625 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-200page 24 of 173
- CVE-2012-1882NONECVSS 0.0EG 0.02012-06-12
Microsoft Internet Explorer 6 through 9 does not block cross-domain scrolling events, which allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Scrolling Events Information Disclosur…
- CVE-2012-1896NONECVSS 0.0EG 0.02012-11-14
Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not properly consider trust levels during construction of output data, which allows remote attackers to obtain sensitive information via (1) a crafted XAML browser application (aka XBAP) or (…
- CVE-2012-1902NONECVSS 0.0EG 0.02012-04-06
show_config_errors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a configuration file does not exist, allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message abo…
- CVE-2012-1920NONECVSS 0.0EG 0.02012-03-27
@Mail WebMail Client in AtMail Open-Source 1.04 and earlier allows remote attackers to obtain configuration information via a direct request to install/info.php, which calls the phpinfo function.
- CVE-2012-1926NONECVSS 0.0EG 0.02012-03-28
Opera before 11.62 allows remote attackers to bypass the Same Origin Policy via the (1) history.pushState and (2) history.replaceState functions in conjunction with cross-domain frames, leading to unintended read access to history.state in…
- CVE-2012-1945NONECVSS 0.0EG 0.02012-06-05
Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow local users to obtain sensitive information via an HTML document that loads…
- CVE-2012-1960NONECVSS 0.0EG 0.02012-07-18
The qcms_transform_data_rgb_out_lut_sse2 function in the QCMS implementation in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 might allow remote attackers to obtain sensitive information from pro…
- CVE-2012-1994MEDIUMCVSS 5.7EG 5.72020-02-10
HP Systems Insight Manager before 7.0 allows a remote user on adjacent network to access information
- CVE-2012-2038NONECVSS 0.0EG 0.02012-06-09
Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adob…
- CVE-2012-2165NONECVSS 0.0EG 0.02012-08-17
IBM Rational ClearQuest 7.1.x before 7.1.2.7 and 8.x before 8.0.0.3, when ClearQuest Authentication is enabled, allows remote authenticated users to read password hashes via a user query.
- CVE-2012-2168NONECVSS 0.0EG 0.02012-08-17
IBM Rational ClearQuest 7.1.x before 7.1.2.7 and 8.x before 8.0.0.3 allows remote authenticated users to obtain sensitive stack-trace information from CM server error messages via an invalid parameter.
- CVE-2012-2185NONECVSS 0.0EG 0.02012-09-10
IBM Maximo Asset Management 6.2 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote a…
- CVE-2012-2196NONECVSS 0.0EG 0.02012-07-25
IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote attackers to read arbitrary XML files via the (1) GET_WRAP_CFG_C or (2) GET_WRAP_CFG_C2 stored procedure.
- CVE-2012-2223NONECVSS 0.0EG 0.02012-04-11
The xplat agent in Novell ZENworks Configuration Management (ZCM) 10.3.x before 10.3.4 and 11.x before 11.2 enables the HTTP TRACE method, which might make it easier for remote attackers to conduct cross-site tracing (XST) attacks via unsp…
- CVE-2012-2296NONECVSS 0.0EG 0.02012-07-25
The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by l…
- CVE-2012-2302NONECVSS 0.0EG 0.02012-07-25
Site Documentation (Sitedoc) module for Drupal 6.x-1.x before 6.x-1.4 does not properly check the save location when archiving, which allows remote attackers to obtain sensitive information via unspecified vectors.
- CVE-2012-2327NONECVSS 0.0EG 0.02012-08-13
MyBB (aka MyBulletinBoard) before 1.6.7 allows remote attackers to obtain sensitive information via a malformed forumread cookie, which reveals the installation path in an error message.
- CVE-2012-2357NONECVSS 0.0EG 0.02012-07-21
The Multi-Authentication feature in the Central Authentication Service (CAS) functionality in auth/cas/cas_form.html in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not use HTTPS, which allows remote attackers to obtain credential…
- CVE-2012-2387NONECVSS 0.0EG 0.02012-08-20
devotee 0.1 patch 2 uses a 32-bit seed for generating 48-bit random numbers, which makes it easier for remote attackers to obtain the secret monikers via a brute force attack.
- CVE-2012-2420NONECVSS 0.0EG 0.02012-04-25
The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, might allow remote attackers to obtain sensitive informat…
- CVE-2012-2422NONECVSS 0.0EG 0.02012-04-25
Intuit QuickBooks 2009 through 2012 might allow remote attackers to obtain pathname information via the qbwc://docontrol/GetCompanyFile functionality.
- CVE-2012-2423NONECVSS 0.0EG 0.02012-04-25
The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, provide different responses to remote requests depending …
- CVE-2012-2474NONECVSS 0.0EG 0.02012-08-06
Memory leak on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.2 through 8.4 allows remote authenticated users to cause a denial of service (memory consumption and blank response page) by using the clientless W…
- CVE-2012-2531NONECVSS 0.0EG 0.02012-11-14
Microsoft Internet Information Services (IIS) 7.5 uses weak permissions for the Operational log, which allows local users to discover credentials by reading this file, aka "Password Disclosure Vulnerability."
- CVE-2012-2532NONECVSS 0.0EG 0.02012-11-14
Microsoft FTP Service 7.0 and 7.5 for Internet Information Services (IIS) processes unspecified commands before TLS is enabled for a session, which allows remote attackers to obtain sensitive information by reading the replies to these com…
- CVE-2012-2635NONECVSS 0.0EG 0.02012-06-15
The Dolphin Browser HD application before 7.6 and Dolphin for Pad application before 1.0.1 for Android do not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted application.
- CVE-2012-2645NONECVSS 0.0EG 0.02012-07-16
The Yahoo! Japan Yahoo! Browser application 1.2.0 and earlier for Android does not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted application.
- CVE-2012-2646NONECVSS 0.0EG 0.02012-07-25
The Sleipnir Mobile application before 2.1.0 and Sleipnir Mobile Black Edition application before 2.1.0 for Android do not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted ap…
- CVE-2012-2647NONECVSS 0.0EG 0.02012-07-31
Yahoo! Toolbar 1.0.0.5 and earlier for Chrome and Safari allows remote attackers to modify the configured search URL, and intercept search terms, via a crafted web page.
- CVE-2012-2668NONECVSS 0.0EG 0.02012-06-17
libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31 and earlier, when using the Mozilla NSS backend, always uses the default cipher suite even when TLSCipherSuite is set, which might cause OpenLDAP to use weaker ciphers than intended an…
- CVE-2012-2724MEDIUMCVSS 5.3EG 5.32020-01-09
The Simplenews module 6.x-1.x before 6.x-1.4, 6.x-2.x before 6.x-2.0-alpha4, and 7.x-1.x before 7.x-1.0-rc1 for Drupal reveals the email addresses of new mailing list subscribers when confirmation is required, which allows remote attackers…
- CVE-2012-2731NONECVSS 0.0EG 0.02012-06-27
The Ubercart AJAX Cart 6.x-2.x before 6.x-2.1 for Drupal stores the PHP session id in the JavaScript settings array in page loads, which might allow remote attackers to obtain sensitive information by sniffing or reading the cache of the H…
- CVE-2012-2815NONECVSS 0.0EG 0.02012-06-27
Google Chrome before 20.0.1132.43 allows remote attackers to obtain potentially sensitive information from a fragment identifier by leveraging access to an IFRAME element associated with a different domain.
- CVE-2012-2854NONECVSS 0.0EG 0.02012-08-06
Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21.0.1180.60 on Windows and Chrome Frame, allows remote attackers to obtain potentially sensitive information about pointer values by leveraging access to a WebUI renderer…
- CVE-2012-2891NONECVSS 0.0EG 0.02012-09-26
The IPC implementation in Google Chrome before 22.0.1229.79 allows attackers to obtain potentially sensitive information about memory addresses via unspecified vectors.
- CVE-2012-2922NONECVSS 0.0EG 0.02012-05-21
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.
- CVE-2012-2997NONECVSS 0.0EG 0.02014-01-21
XML External Entity (XXE) vulnerability in sam/admin/vpe2/public/php/server.php in F5 BIG-IP 10.0.0 through 10.2.4 and 11.0.0 through 11.2.1 allows remote authenticated users to read arbitrary files via a crafted XML file.
- CVE-2012-3034NONECVSS 0.0EG 0.02012-09-18
WebNavigator in Siemens WinCC 7.0 SP3 and earlier, as used in SIMATIC PCS7 and other products, allows remote attackers to discover a username and password via crafted parameters to unspecified methods in ActiveX controls.
- CVE-2012-3094NONECVSS 0.0EG 0.02012-09-16
The VPN downloader in the download_install component in Cisco AnyConnect Secure Mobility Client 3.1.x before 3.1.00495 on Linux accepts arbitrary X.509 server certificates without user interaction, which allows remote attackers to obtain s…
- CVE-2012-3248NONECVSS 0.0EG 0.02012-08-16
HP Fortify Software Security Center 3.1, 3.3, 3.4, and 3.5 allows remote attackers to obtain sensitive information via unspecified vectors.
- CVE-2012-3249NONECVSS 0.0EG 0.02012-08-16
HP Fortify Software Security Center 3.1, 3.3, 3.4, and 3.5 allows remote authenticated users to obtain sensitive information via unspecified vectors.
- CVE-2012-3319NONECVSS 0.0EG 0.02012-10-01
IBM Rational Business Developer 8.x before 8.0.1.4 allows remote attackers to obtain potentially sensitive information via a connection to a web service created with the Rational Business Developer product.
- CVE-2012-3331MEDIUMCVSS 5.3EG 5.32018-02-08
IBM Sametime allows remote attackers to obtain sensitive information from the Sametime Log database via a direct request to STLOG.NSF. IBM X-Force ID: 78048.
- CVE-2012-3353HIGHCVSS 7.5EG 7.52018-01-09
The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling JCR content loader module makes it possible to import arbitrary files in the content repository, including local files, causing potential information leaks. Users should …
- CVE-2012-3354NONECVSS 0.0EG 0.02012-11-20
doku.php in DokuWiki, as used in Fedora 16, 17, and 18, when certain PHP error levels are set, allows remote attackers to obtain sensitive information via the prefix parameter, which reveals the installation path in an error message.
- CVE-2012-3357NONECVSS 0.0EG 0.02012-07-22
The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15 does not properly handle log messages when a readable path is copied from an unreadable path, which allows remote attackers to obtain sensitive information, related…
- CVE-2012-3394NONECVSS 0.0EG 0.02012-07-23
auth/ldap/ntlmsso_attempt.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 redirects users from an https LDAP login URL to an http URL, which allows remote attackers to obtain sensitive info…
- CVE-2012-3419NONECVSS 0.0EG 0.02012-08-27
Performance Co-Pilot (PCP) before 3.6.5 exports some of the /proc file system, which allows attackers to obtain sensitive information such as proc/pid/maps and command line arguments.
- CVE-2012-3430NONECVSS 0.0EG 0.02012-10-03
The rds_recvmsg function in net/rds/recv.c in the Linux kernel before 3.0.44 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) recvfrom o…
- CVE-2012-3474NONECVSS 0.0EG 0.02012-08-12
The comments API in application/libraries/api/MY_Comments_Api_Object.php in the Ushahidi Platform before 2.5 allows remote attackers to obtain sensitive information about the e-mail address, IP address, and other attributes of the author o…
Map vulnerabilities like CWE-200 to your infrastructure
EchelonGraph correlates every CVE — across CWE-200 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →