CWE-200— Exposure of Sensitive Information to an Unauthorized Actor
8,637 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-200page 55 of 173
- CVE-2018-12076MEDIUMCVSS 4.2EG 4.22018-12-13
A vulnerability in the UPC bar code of the Avanti Markets MarketCard could allow an unauthenticated, local attacker to access funds within the customer's MarketCard balance, and also could lead to Customer Information Disclosure. The vulne…
- CVE-2018-12089HIGHCVSS 7.5EG 7.52018-06-11
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is…
- CVE-2018-12097MEDIUMCVSS 5.5EG 5.52018-06-19
The liblnk_location_information_read_data function in liblnk_location_information.c in liblnk through 2018-04-19 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted lnk file. NOTE: the ven…
- CVE-2018-12098MEDIUMCVSS 5.5EG 5.52018-06-19
The liblnk_data_block_read function in liblnk_data_block.c in liblnk through 2018-04-19 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted lnk file. NOTE: the vendor has disputed this as …
- CVE-2018-12126MEDIUMCVSS 5.6EG 5.62019-05-30
Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.…
- CVE-2018-12127MEDIUMCVSS 5.6EG 5.62019-05-30
Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A lis…
- CVE-2018-12130MEDIUMCVSS 5.9EG 5.62019-05-30
Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A…
- CVE-2018-12155MEDIUMCVSS 5.5EG 5.52018-12-05
Data leakage in cryptographic libraries for Intel IPP before 2019 update1 release may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2018-12158MEDIUMCVSS 6.0EG 6.02018-10-10
Insufficient input validation in BIOS update utility in Intel NUC FW kits downloaded before May 24, 2018 may allow a privileged user to potentially trigger a denial of service or information disclosure via local access.
- CVE-2018-12161MEDIUMCVSS 6.5EG 6.52018-10-10
Insufficient session validation in the webserver component of the Intel Rapid Web Server 3 may allow an unauthenticated user to potentially disclose information via network access.
- CVE-2018-12224LOWCVSS 3.3EG 3.32019-03-14
Buffer leakage in igdkm64.sys in Intel(R) Graphics Driver for Windows* before versions 10.18.x.5059 (aka 15.33.x.5059), 10.18.x.5057 (aka 15.36.x.5057), 20.19.x.5063 (aka 15.40.x.5063) 21.20.x.5064 (aka 15.45.x.5064) and 24.20.100.6373 may…
- CVE-2018-12227MEDIUMCVSS 5.3EG 5.32018-06-12
An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint specific ACL rules block …
- CVE-2018-12301HIGHCVSS 7.5EG 7.52019-05-13
Unvalidated URL in Download Manager in Seagate NAS OS version 4.3.15.1 allows attackers to access the loopback interface via a Download URL of 127.0.0.1 or localhost.
- CVE-2018-12308MEDIUMCVSS 6.5EG 6.52018-12-04
Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the encryption key via the "encrypt_key" URL parameter.
- CVE-2018-12318HIGHCVSS 8.8EG 8.82018-12-04
Information disclosure in the SNMP settings page in ASUSTOR ADM version 3.1.1 allows attackers to obtain the SNMP password in cleartext.
- CVE-2018-12329MEDIUMCVSS 5.9EG 5.92018-06-17
Protection Mechanism Failure in ECOS Secure Boot Stick (aka SBS) 5.6.5 allows a local attacker to duplicate an authentication factor via cloning.
- CVE-2018-12336CRITICALCVSS 9.8EG 9.82018-06-17
Undocumented Factory Backdoor in ECOS Secure Boot Stick (aka SBS) 5.6.5 allows the vendor to extract confidential information via remote root SSH access.
- CVE-2018-12337MEDIUMCVSS 4.6EG 4.62018-06-17
Reliance on Security Through Obscurity vulnerability in ECOS Secure Boot Stick (aka SBS) 5.6.5 allows an attacker to partially extract confidential configurations via user-space emulation.
- CVE-2018-1234MEDIUMCVSS 5.5EG 5.52018-03-30
RSA Authentication Agent version 8.0.1 and earlier for Web for IIS is affected by a problem where access control list (ACL) permissions on a Windows Named Pipe were not sufficient to prevent access by unauthorized users. The attacker with …
- CVE-2018-12358MEDIUMCVSS 4.3EG 4.32018-10-18
Service workers can use redirection to avoid the tainting of cross-origin resources in some instances, allowing a malicious site to read responses which are supposed to be opaque. This vulnerability affects Firefox < 61.
- CVE-2018-12365MEDIUMCVSS 6.5EG 6.52018-10-18
A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects T…
- CVE-2018-12372MEDIUMCVSS 6.5EG 6.52018-10-18
Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a a HTML reply/forward. This vulnerability affects Thunderbird < 52.9.
- CVE-2018-12373MEDIUMCVSS 6.5EG 6.52018-10-18
dDecrypted S/MIME parts hidden with CSS or the plaintext HTML tag can leak plaintext when included in a HTML reply/forward. This vulnerability affects Thunderbird < 52.9.
- CVE-2018-12374MEDIUMCVSS 4.3EG 4.32018-10-18
Plaintext of decrypted emails can leak through by user submitting an embedded form by pressing enter key within a text input field. This vulnerability affects Thunderbird < 52.9.
- CVE-2018-12397HIGHCVSS 7.1EG 7.12019-02-28
A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages witho…
- CVE-2018-1240HIGHCVSS 8.0EG 8.02018-04-18
Dell EMC ViPR Controller, versions after 3.0.0.38, contain an information exposure vulnerability in the VRRP. VRRP defaults to an insecure configuration in Linux's keepalived component which sends the cluster password in plaintext through …
- CVE-2018-12400MEDIUMCVSS 5.3EG 5.32019-02-28
In private browsing mode on Firefox for Android, favicons are cached in the cache/icons folder as they are in non-private mode. This allows information leakage of sites visited during private browsing sessions. *Note: this issue only affec…
- CVE-2018-12433MEDIUMCVSS 4.9EG 4.92018-06-15
cryptlib through 3.4.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different vir…
- CVE-2018-12434MEDIUMCVSS 4.7EG 4.72018-06-15
LibreSSL before 2.6.5 and 2.7.x before 2.7.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local mach…
- CVE-2018-12435MEDIUMCVSS 5.9EG 5.92018-06-15
Botan 2.5.0 through 2.6.0 before 2.7.0 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP, related to dsa/dsa.cpp, ec_group/ec_group.cpp, and ecdsa/ecdsa.cpp. To discover an …
- CVE-2018-12436MEDIUMCVSS 4.7EG 4.72018-06-15
wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local…
- CVE-2018-12437MEDIUMCVSS 4.9EG 4.92018-06-15
LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different …
- CVE-2018-12438MEDIUMCVSS 4.9EG 4.92018-06-15
The Elliptic Curve Cryptography library (aka sunec or libsunec) allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to eit…
- CVE-2018-12439MEDIUMCVSS 4.7EG 4.72018-06-15
MatrixSSL through 3.9.5 Open allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a differen…
- CVE-2018-12440MEDIUMCVSS 4.7EG 4.72018-06-15
BoringSSL through 2018-06-14 allows a memory-cache side-channel attack on DSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a DSA key, the attacker needs access to either the local machine or a different vir…
- CVE-2018-12481CRITICALCVSS 9.8EG 9.82018-06-15
The Olive Tree Ftp Server application 1.32 for Android has a "Sensitive Data on the Clipboard" vulnerability, as demonstrated by reading the "User password" field with the Drozer post.capture.clipboard module.
- CVE-2018-12522MEDIUMCVSS 5.3EG 5.32018-06-18
An issue was discovered in perfSONAR Monitoring and Debugging Dashboard (MaDDash) 2.0.2. A direct request to /style/ provides a directory listing.
- CVE-2018-12523MEDIUMCVSS 5.3EG 5.32018-06-18
An issue was discovered in perfSONAR Monitoring and Debugging Dashboard (MaDDash) 2.0.2. A direct request to /etc/ provides a directory listing.
- CVE-2018-12524MEDIUMCVSS 5.3EG 5.32018-06-18
An issue was discovered in perfSONAR Monitoring and Debugging Dashboard (MaDDash) 2.0.2. A direct request to /lib/ provides a directory listing.
- CVE-2018-12525MEDIUMCVSS 5.3EG 5.32018-06-18
An issue was discovered in perfSONAR Monitoring and Debugging Dashboard (MaDDash) 2.0.2. A direct request to /images/ provides a directory listing.
- CVE-2018-12557CRITICALCVSS 9.8EG 9.82018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents o…
- CVE-2018-12592HIGHCVSS 7.5EG 7.52018-06-20
Polycom RealPresence Web Suite before 2.2.0 does not block a user's video for a few seconds upon joining a meeting (when the user has explicitly chosen to turn off the video using a specific option). During those seconds, a meeting invitee…
- CVE-2018-12594HIGHCVSS 7.5EG 7.52018-06-20
Reliable Controls MACH-ProWebCom 7.80 devices allow remote attackers to obtain sensitive information via a direct request for the data/fileinfo.xml or job/job.json file, as demonstrated the Master Password field.
- CVE-2018-12610MEDIUMCVSS 5.3EG 5.32019-01-30
OX App Suite 7.8.4 and earlier allows Information Exposure.
- CVE-2018-12632MEDIUMCVSS 5.3EG 5.32018-06-21
Redatam7 (formerly Redatam WebServer) allows remote attackers to discover the installation path via an invalid LFN parameter to the /redbin/rpwebutilities.exe/text URI.
- CVE-2018-12634CRITICALCVSS 9.8EG 9.82018-06-22
CirCarLife Scada before 4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI.
- CVE-2018-12671CRITICALCVSS 9.8EG 9.82018-10-19
An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) web interface can disclose information about the camera including all password sets set within the camera. Th…
- CVE-2018-12673HIGHCVSS 7.5EG 7.52018-10-19
An attacker with remote access to the SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) web interface can disclose information about the camera including camera hardware, wireless network, and loca…
- CVE-2018-12684HIGHCVSS 7.1EG 7.12018-06-22
Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file.
- CVE-2018-12716MEDIUMCVSS 4.3EG 4.32018-06-25
The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browser…
Map vulnerabilities like CWE-200 to your infrastructure
EchelonGraph correlates every CVE — across CWE-200 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →