CWE-200— Exposure of Sensitive Information to an Unauthorized Actor
8,637 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-200page 44 of 173
- CVE-2016-3351MEDIUMCVSS 6.5EG 9.0⚠ KEV2016-09-14
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability."
- CVE-2016-3954MEDIUMCVSS 5.5EG 5.52018-02-06
web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-39…
- CVE-2016-4643MEDIUMCVSS 6.5EG 6.52019-01-11
In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a validation issue existed in the parsing of 407 responses. This issue was addressed through improved response validation.
- CVE-2016-4644MEDIUMCVSS 6.5EG 6.52019-01-11
In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a downgrade issue existed with HTTP authentication credentials saved in Keychain. This issue was addressed by storing the authenticat…
- CVE-2016-4655MEDIUMCVSS 5.5EG 9.0⚠ KEV2016-08-25
The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.
- CVE-2016-4676HIGHCVSS 7.5EG 7.52020-02-03
A Cross-origin vulnerability exists in WebKit in Apple Safari before 10.0.1 when processing location attributes, which could let a remote malicious user obtain sensitive information.
- CVE-2016-5288MEDIUMCVSS 5.9EG 5.92018-06-11
Web content could access information in the HTTP cache if e10s is disabled. This can reveal some visited URLs and the contents of those pages. This issue affects Firefox 48 and 49. This vulnerability affects Firefox < 49.0.2.
- CVE-2016-5346MEDIUMCVSS 5.5EG 5.52020-01-08
An Information Disclosure vulnerability exists in the Google Pixel/Pixel SL Qualcomm Avtimer Driver due to a NULL pointer dereference when processing an accept system call by the user process on AF_MSM_IPC sockets, which could let a local …
- CVE-2016-5638HIGHCVSS 7.5EG 7.52018-07-24
There are few web pages associated with the genie app on the Netgear WNDR4500 running firmware version V1.0.1.40_1.0.6877. Genie app adds some capabilities over the Web GUI and can be accessed even when you are away from home. A remote att…
- CVE-2016-5649CRITICALCVSS 9.8EG 9.82018-07-24
A vulnerability is in the 'BSW_cxttongr.htm' page of the Netgear DGN2200, version DGN2200-V1.0.0.50_7.0.50, and DGND3700, version DGND3700-V1.0.0.17_1.0.17, which can allow a remote attacker to access this page without any authentication. …
- CVE-2016-5724HIGHCVSS 7.5EG 7.52019-11-26
Cloudera CDH before 5.9 has Potentially Sensitive Information in Diagnostic Support Bundles.
- CVE-2016-6210MEDIUMCVSS 5.9EG 9.02017-02-13
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing di…
- CVE-2016-6415HIGHCVSS 7.5EG 9.0⚠ KEV2016-09-19
The server IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15.0 through 15.6, IOS XE through 3.18S, IOS XR 4.3.x and 5.0.x through 5.2.x, and PIX before 7.0 allows remote attackers to obtain sensitive information from device memory…
- CVE-2016-6538HIGHCVSS 8.8EG 8.82018-07-06
The TrackR Bravo mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file. Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address the vul…
- CVE-2016-6539LOWCVSS 3.5EG 3.52018-07-06
The Trackr device ID is constructed of a manufacturer identifier of four zeroes followed by the BLE MAC address in reverse. The MAC address can be obtained by being in close proximity to the Bluetooth device, effectively exposing the devic…
- CVE-2016-6540MEDIUMCVSS 6.5EG 6.52018-07-06
Unauthenticated access to the cloud-based service maintained by TrackR Bravo is allowed for querying or sending GPS data for any Trackr device by using the tracker ID number which can be discovered as described in CVE-2016-6539. Updated ap…
- CVE-2016-6542LOWCVSS 3.7EG 3.72018-07-13
The iTrack device tracking ID number, also called "LosserID" in the web API, can be obtained by being in the range of an iTrack device. The tracker ID is the device's BLE MAC address.
- CVE-2016-6546HIGHCVSS 7.8EG 7.82018-07-13
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.
- CVE-2016-6547HIGHCVSS 7.8EG 7.82018-07-13
The Zizai Tech Nut mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file.
- CVE-2016-6548CRITICALCVSS 9.8EG 9.82018-07-13
The Zizai Tech Nut mobile app makes requests via HTTP instead of HTTPS. These requests contain the user's authenticated session token with the URL. An attacker can capture these requests and reuse the session token to gain full access the …
- CVE-2016-6587MEDIUMCVSS 5.5EG 5.52020-01-08
An Information Disclosure vulnerability exists in the mid.dat file stored on the SD card in Symantec Norton Mobile Security for Android before 3.16, which could let a local malicious user obtain sensitive information.
- CVE-2016-6658CRITICALCVSS 9.6EG 9.62018-03-29
Applications in cf-release before 245 can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth…
- CVE-2016-7047MEDIUMCVSS 4.3EG 4.32018-09-11
A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not hav…
- CVE-2016-7061LOWCVSS 3.5EG 6.52018-09-10
An information disclosure vulnerability was found in JBoss Enterprise Application Platform before 7.0.4. It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sens…
- CVE-2016-7077MEDIUMCVSS 4.3EG 4.32018-09-10
foreman before 1.14.0 is vulnerable to an information leak. It was found that Foreman form helper does not authorize options for associated objects. Unauthorized user can see names of such objects if their count is less than 6.
- CVE-2016-7078MEDIUMCVSS 4.3EG 4.32018-09-10
foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an adminis…
- CVE-2016-7404CRITICALCVSS 9.8EG 9.82019-06-21
OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any…
- CVE-2016-8220HIGHCVSS 7.5EG 7.52018-04-18
Pivotal Gemfire for PCF, versions 1.6.x prior to 1.6.5.0 and 1.7.x prior to 1.7.1.0, contain an information disclosure vulnerability. The application inadvertently exposed WAN replication credentials at a public route.
- CVE-2016-8485HIGHCVSS 7.5EG 7.52018-04-04
An information disclosure vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-28823681.
- CVE-2016-8486HIGHCVSS 7.5EG 7.52018-04-04
An information disclosure vulnerability in Qualcomm closed source components. Product: Android. Versions: Android kernel. Android ID: A-28823691.
- CVE-2016-8514MEDIUMCVSS 6.5EG 6.52018-02-15
A remote information disclosure in HPE Version Control Repository Manager (VCRM) was found. The problem impacts all versions prior to 7.6.
- CVE-2016-8525HIGHCVSS 7.5EG 7.52018-02-15
A Remote Disclosure of Information vulnerability in HPE iMC PLAT version v7.2 E0403P06 and earlier was found. The problem was resolved in iMC PLAT 7.3 E0504 or subsequent version.
- CVE-2016-8531MEDIUMCVSS 5.3EG 5.32018-02-15
A remote information disclosure vulnerability in HPE Matrix Operating Environment version 7.6 was found.
- CVE-2016-8637MEDIUMCVSS 5.0EG 7.82018-08-01
A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio' is used, such as when including microcode updates. Local attacker can use this to obtain…
- CVE-2016-9062LOWCVSS 3.3EG 3.32018-06-11
Private browsing mode leaves metadata information, such as URLs, for sites visited in "browser.db" and "browser.db-wal" files within the Firefox profile after the mode is exited. Note: This issue only affects Firefox for Android. Other ver…
- CVE-2016-9074MEDIUMCVSS 5.9EG 5.92018-06-11
An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox …
- CVE-2016-9159MEDIUMCVSS 5.9EG 5.92016-12-17
A vulnerability has been identified in SIMATIC S7-300 CPU family (All versions), SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP V6 and below CPU family (incl. SIPLUS variants) …
- CVE-2016-9491MEDIUMCVSS 4.9EG 4.92018-07-13
ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Appl…
- CVE-2016-9499MEDIUMCVSS 5.3EG 5.32018-07-13
Accellion FTP server prior to version FTA_9_12_220 only returns the username in the server response if the username is invalid. An attacker may use this information to determine valid user accounts and enumerate them.
- CVE-2016-9590MEDIUMCVSS 6.5EG 6.52018-04-26
puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the serv…
- CVE-2016-9711MEDIUMCVSS 5.3EG 5.32018-03-22
IBM Predictive Solutions Foundation (IBM Cognos Analytics 11.0) reveals sensitive information in detailed error messages that could aid an attacker in further attacks against the system. IBM X-Force ID: 119619.
- CVE-2016-9904HIGHCVSS 7.5EG 7.52018-06-11
An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across w…
- CVE-2017-0022MEDIUMCVSS 6.5EG 9.0⚠ KEV2017-03-17
Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607; Windows 7 SP1; Windows 8.1; Windows RT 8.1; Windows Server 2008 SP2 and R2 SP1; Windows Server 2012 Gold and R2; Windows Server 2016; and Windows Vista SP2 improperly …
- CVE-2017-0059MEDIUMCVSS 4.3EG 9.0⚠ KEV2017-03-17
Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." This vulnerability is different from …
- CVE-2017-0147HIGHCVSS 7.5EG 9.0⚠ KEV2017-03-17
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote at…
- CVE-2017-0361HIGHCVSS 7.8EG 7.82018-04-13
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext.
- CVE-2017-0748MEDIUMCVSS 5.3EG 5.32018-04-05
An information disclosure vulnerability in the Qualcomm audio driver. Product: Android. Versions: Android Kernel. Android ID: A-35764875. References: QC-CR#2029798.
- CVE-2017-0846HIGHCVSS 7.5EG 7.52018-01-12
An information disclosure vulnerability in the Android framework (clipboardservice). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-64934810.
- CVE-2017-1000395MEDIUMCVSS 4.3EG 4.32018-01-26
Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' e…
- CVE-2017-1000398MEDIUMCVSS 4.3EG 4.32018-01-26
The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user oth…
Map vulnerabilities like CWE-200 to your infrastructure
EchelonGraph correlates every CVE — across CWE-200 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →