Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

CVEs (322)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-13998 1Nagios 1Nagios Xi Nov 6, 2025 Nov 3, 2025 6.0 MEDIUM· v4 6.5 MEDIUM· v3 N/A· v2 Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. E...Show more Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions.Show less
CVE-2025-34283 1Nagios 1Nagios Xi Nov 6, 2025 Oct 30, 2025 7.1 HIGH· v4 6.5 MEDIUM· v3 N/A· v2 Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API access when using Neptune themes. An authenticated user without API privileges could view another user's or their own API...Show more Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API access when using Neptune themes. An authenticated user without API privileges could view another user's or their own API key value.Show less
CVE-2024-13999 1Nagios 1Nagios Xi Nov 6, 2025 Oct 30, 2025 7.3 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Directory (AD) or LDAP authentication token to an authenticated user. Exposure of the server’s AD/LDAP token could allow d...Show more Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose the server's Active Directory (AD) or LDAP authentication token to an authenticated user. Exposure of the server’s AD/LDAP token could allow domain-wide authentication misuse, escalation of privileges, or further compromise of network-integrated systems.Show less
CVE-2024-13995 1Nagios 1Nagios Xi Nov 6, 2025 Oct 30, 2025 7.1 HIGH· v4 8.8 HIGH· v3 N/A· v2 Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to...Show more Nagios XI versions prior to 2024R1.1.2 may (confirmed in 2024R1.1 and 2024R1.1.1) disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts.Show less
CVE-2025-54459 1Vertikalsystems 1Hospital Manager Backend Services Nov 6, 2025 Oct 29, 2025 8.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 Prior to September 19, 2025, the Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, allowing a remote attacker to obtain live request traces and sensitive informatio...Show more Prior to September 19, 2025, the Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, allowing a remote attacker to obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, server variables, and internal file paths.Show less
CVE-2025-64228 - - Jan 20, 2026 Oct 29, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Retrieve Embedded Sensitive Data.This issue affects SUMO Affiliates Pro: from n...Show more Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Retrieve Embedded Sensitive Data.This issue affects SUMO Affiliates Pro: from n/a through <= 11.0.0.Show less
CVE-2025-43024 1Hp 1Thinpro Jan 29, 2026 Oct 28, 2025 5.1 MEDIUM· v4 7.5 HIGH· v3 N/A· v2 A GUI dialog of an application allows to view what files are in the file system without proper authorization.
CVE-2025-62524 1Thm 1Pilos Nov 4, 2025 Oct 27, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 exposes the PHP version via the X-Powered-By header, enabling attackers to fingerprint the server and assess poten...Show more PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 exposes the PHP version via the X-Powered-By header, enabling attackers to fingerprint the server and assess potential exploits. This information disclosure vulnerability originates from PHP’s base image. Additionally, the PHP version can also be inferred through the PILOS version displayed in the footer and by examining the source code available on GitHub. This information disclosure vulnerability has been patched in PILOS in v4.8.0.Show less
CVE-2025-62902 1Themehunk 1Wp Popup Builder Apr 27, 2026 Oct 27, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk WP Popup Builder wp-popup-builder allows Retrieve Embedded Sensitive Data.This issue affects WP Popup Builder: from n/...Show more Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk WP Popup Builder wp-popup-builder allows Retrieve Embedded Sensitive Data.This issue affects WP Popup Builder: from n/a through <= 1.3.8.Show less
CVE-2025-34156 - - Oct 27, 2025 Oct 23, 2025 6.9 MEDIUM· v4 N/A· v3 N/A· v2 Tibbo AggreGate Network Manager < 6.40.05 exposes sensitive system information through an unauthenticated endpoint at /cwmp/happyaxis.jsp. The page discloses Java system properties, server path details, and version infor...Show more Tibbo AggreGate Network Manager < 6.40.05 exposes sensitive system information through an unauthenticated endpoint at /cwmp/happyaxis.jsp. The page discloses Java system properties, server path details, and version information to unauthorized users, resulting in information disclosure that could aid further compromise.Show less
CVE-2025-47699 - - Oct 27, 2025 Oct 23, 2025 N/A· v4 9.9 CRITICAL· v3 N/A· v2 Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to loc...Show more Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) in the Gallagher Morpho integration could allow an authenticated operator with limited site permissions to make critical changes to local Morpho devices. This issue affects Command Centre Server: 9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.Show less
CVE-2025-59575 - - Apr 29, 2026 Oct 22, 2025 N/A· v4 5.0 MEDIUM· v3 N/A· v2 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects M...Show more Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects MasterStudy LMS: from n/a through <= 3.6.20.Show less
CVE-2025-52752 - - Jan 20, 2026 Oct 22, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeAtelier IDonatePro idonate-pro allows Retrieve Embedded Sensitive Data.This issue affects IDonatePro: from n/a through <= 2...Show more Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeAtelier IDonatePro idonate-pro allows Retrieve Embedded Sensitive Data.This issue affects IDonatePro: from n/a through <= 2.1.9.Show less
CVE-2025-11151 - - Oct 21, 2025 Oct 21, 2025 N/A· v4 8.2 HIGH· v3 N/A· v2 Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Beyaz Bilgisayar Software Design Industry and Trade Ltd. Co. CityPLu...Show more Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Beyaz Bilgisayar Software Design Industry and Trade Ltd. Co. CityPLus allows Detect Unpublicized Web Pages.This issue affects CityPLus: before V24.29500.1.0.Show less
CVE-2025-52616 1Hcltech 1Unica Oct 21, 2025 Oct 12, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 HCL Unica 12.1.10 can expose sensitive system information. An attacker could use this information to form an attack plan by leveraging known vulnerabilities in the application.
CVE-2025-4614 1Paloaltonetworks 1Pan Os Oct 22, 2025 Oct 9, 2025 4.8 MEDIUM· v4 2.7 LOW· v3 N/A· v2 An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users authenticated to the firewall web UI. This may allow impersonation of...Show more An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users authenticated to the firewall web UI. This may allow impersonation of users whose session tokens are leaked. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prisma® Access are not affected by this vulnerability.Show less
CVE-2025-44823 1Nagios 1Log Server Nov 6, 2025 Oct 7, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.
CVE-2025-59447 - - Oct 8, 2025 Oct 6, 2025 N/A· v4 2.2 LOW· v3 N/A· v2 The YoSmart YoLink Smart Hub device 0382 exposes a UART debug interface. An attacker with direct physical access can leverage this interface to read a boot log, which includes network access credentials.
CVE-2025-58585 1Sick 4Baggage Analytics Logistic Diagnostic AnalyticsPackage Analytics+1 more Jan 27, 2026 Oct 6, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Multiple endpoints with sensitive information do not require authentication, making the application susceptible to information gathering.
CVE-2025-58583 1Sick 1Enterprise Analytics Jan 27, 2026 Oct 6, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The application provides access to a login protected H2 database for caching purposes. The username is prefilled.

Previous 1...678...17 Next