Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

CVEs (321)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-4968 1Canonical 1Netplan Nov 21, 2024 Jun 7, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 netplan leaks the private key of wireguard to local users. Versions after 1.0 are not affected.
CVE-2024-4008 1Abb 52tma310010b0001 Firmware 2tma310010b0003 Firmware2tma310011b0001 Firmware+2 more Sep 17, 2025 Jun 5, 2024 7.3 HIGH· v4 8.8 HIGH· v3 N/A· v2 FDSK Leak in ABB, Busch-Jaeger, FTS Display (version 1.00) and BCU (version 1.3.0.33) allows attacker to take control via access to local KNX Bus-System
CVE-2024-36070 - - Mar 27, 2025 May 19, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 tine before 2023.11.8, when an LDAP backend is used, allows anonymous remote attackers to obtain sensitive authentication information via setup.php because of getRegistryData in Setup/Frontend/Json.php. (An update is als...Show more tine before 2023.11.8, when an LDAP backend is used, allows anonymous remote attackers to obtain sensitive authentication information via setup.php because of getRegistryData in Setup/Frontend/Json.php. (An update is also available for the 2022.11 series.)Show less
CVE-2023-50180 1Fortinet 1Fortiadc Nov 21, 2024 May 14, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiADC version 7.4.1 and below, version 7.2.3 and below, version 7.1.4 and below, version 7.0.5 and below, versio...Show more An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiADC version 7.4.1 and below, version 7.2.3 and below, version 7.1.4 and below, version 7.0.5 and below, version 6.2.6 and below may allow a read-only admin to view data pertaining to other admins.Show less
CVE-2024-1809 1Analytify 1Analytify Google Analytics Dashboard Apr 8, 2026 May 2, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with...Show more The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage in all versions up to, and including, 5.2.3. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain certain sensitive information related to plugin settings.Show less
CVE-2024-31887 1Ibm 1Security Verify Privilege On Premises Aug 13, 2025 Apr 16, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 IBM Security Verify Privilege 11.6.25 could allow an unauthenticated actor to obtain sensitive information from the SOAP API. IBM X-Force ID: 287651.
CVE-2024-3774 1Aenrich 1A+hrd Nov 17, 2025 Apr 15, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive s...Show more aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values.Show less
CVE-2023-4605 - - Nov 21, 2024 Apr 5, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A valid authenticated Lenovo XClarity Administrator (LXCA) user can potentially leverage an unauthenticated API endpoint to retrieve system event information.
CVE-2024-31419 - - Nov 21, 2024 Apr 3, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An information disclosure flaw was found in OpenShift Virtualization. The DownwardMetrics feature was introduced to expose host metrics to virtual machine guests and is enabled by default. This issue could expose limited...Show more An information disclosure flaw was found in OpenShift Virtualization. The DownwardMetrics feature was introduced to expose host metrics to virtual machine guests and is enabled by default. This issue could expose limited host metrics of a node to any guest in any namespace without being explicitly enabled by an administrator.Show less
CVE-2023-50959 1Ibm 1Cloud Pak For Business Automation Nov 21, 2024 Mar 31, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2,19.0.1, 19.0.2, 19.0.3,20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1,2 2.0.2, 23.0.1, and 23.0.2 may allow end users to query more documents than expe...Show more IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2,19.0.1, 19.0.2, 19.0.3,20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1,2 2.0.2, 23.0.1, and 23.0.2 may allow end users to query more documents than expected from a connected Enterprise Content Management system when configured to use a system account. IBM X-Force ID: 275938.Show less
CVE-2024-0053 1Google 1Android Mar 27, 2025 Mar 11, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 In getCustomPrinterIcon of PrintManagerService.java, there is a possible way to view other user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges n...Show more In getCustomPrinterIcon of PrintManagerService.java, there is a possible way to view other user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2024-25634 1Alf 1Alf Dec 18, 2024 Feb 19, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, an attacker can access data from other organizers. The attacker can use a specially crafted request to receive the e-mail log sent by othe...Show more alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, an attacker can access data from other organizers. The attacker can use a specially crafted request to receive the e-mail log sent by other events. Version 2.0-M4-2402 fixes this issue.Show less
CVE-2023-5081 1Lenovo 4Tab M8 Hd Tb8505f Firmware Tab M8 Hd Tb8505fs FirmwareTab M8 Hd Tb8505x Firmware+1 more Nov 21, 2024 Jan 19, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 An information disclosure vulnerability was reported in the Lenovo Tab M8 HD that could allow a local application to gather a non-resettable device identifier.
CVE-2024-22125 1Sap 1Gui Connector Nov 21, 2024 Jan 9, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be restricted causing hi...Show more Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be restricted causing high impact on confidentiality. Show less
CVE-2024-22124 1Sap 1Netweaver Nov 21, 2024 Jan 9, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, W...Show more Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow an attacker to access information which would otherwise be restricted causing high impact on confidentiality. Show less
CVE-2023-41366 1Sap 1Netweaver Application Server Abap Nov 21, 2024 Nov 14, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, K...Show more Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the application. Show less
CVE-2023-34209 1Easyuse 1Mailhunter Ultimate Nov 21, 2024 Oct 17, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unen...Show more Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unencrypted VIEWSTATE parameter.Show less
CVE-2023-4237 1Redhat 2Ansible Automation Platform Ansible Collection Nov 21, 2024 Oct 4, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the l...Show more A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.Show less
CVE-2023-20111 1Cisco 1Identity Services Engine Nov 21, 2024 Aug 16, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information. This vulnerability is due to the improper st...Show more A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information. This vulnerability is due to the improper storage of sensitive information within the web-based management interface. An attacker could exploit this vulnerability by logging in to the web-based management interface and viewing hidden fields within the application. A successful exploit could allow the attacker to access sensitive information, including device entry credentials, that could aid the attacker in further attacks.Show less
CVE-2023-37487 1Sap 1Business One Nov 21, 2024 Aug 8, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high impact on confidentialit...Show more SAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high impact on confidentiality with no impact on integrity and availability of the applicationShow less

Previous 1...13 141516 17 Next