CWE-497
AllowedExposure of Sensitive System Information to an Unauthorized Control Sphere
Abstraction: Base · Status: Incomplete
The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
669 vulnerabilities reference this CWE, most recent first.
GHSA-C6M7-Q6PR-C64R
Vulnerability from github – Published: 2025-12-12 16:41 – Updated: 2025-12-12 16:41Impact
@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.3. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4
Patches
Upgrade immediately to @vitejs/plugin-rsc@0.5.7 or later.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.6"
},
"package": {
"ecosystem": "npm",
"name": "@vitejs/plugin-rsc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-497",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-12T16:41:58Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.3. See details in React repository\u0027s advisory https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4\n\n### Patches\n\nUpgrade immediately to `@vitejs/plugin-rsc@0.5.7` or later.",
"id": "GHSA-c6m7-q6pr-c64r",
"modified": "2025-12-12T16:41:58Z",
"published": "2025-12-12T16:41:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4"
},
{
"type": "WEB",
"url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-c6m7-q6pr-c64r"
},
{
"type": "PACKAGE",
"url": "https://github.com/vitejs/vite-plugin-react"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components"
}
GHSA-C82P-3FR5-PXCV
Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-01-23 21:30Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Retrieve Embedded Sensitive Data.This issue affects AWP Classifieds: from n/a through <= 4.4.3.
{
"affected": [],
"aliases": [
"CVE-2026-24593"
],
"database_specific": {
"cwe_ids": [
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T15:16:17Z",
"severity": "MODERATE"
},
"details": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Retrieve Embedded Sensitive Data.This issue affects AWP Classifieds: from n/a through \u003c= 4.4.3.",
"id": "GHSA-c82p-3fr5-pxcv",
"modified": "2026-01-23T21:30:43Z",
"published": "2026-01-23T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24593"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-4-3-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C866-RQMW-MVMH
Vulnerability from github – Published: 2025-12-18 09:30 – Updated: 2026-01-20 15:32Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in wpweb Follow My Blog Post follow-my-blog-post allows Retrieve Embedded Sensitive Data.This issue affects Follow My Blog Post: from n/a through <= 2.3.9.
{
"affected": [],
"aliases": [
"CVE-2025-64258"
],
"database_specific": {
"cwe_ids": [
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T08:16:12Z",
"severity": "HIGH"
},
"details": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in wpweb Follow My Blog Post follow-my-blog-post allows Retrieve Embedded Sensitive Data.This issue affects Follow My Blog Post: from n/a through \u003c= 2.3.9.",
"id": "GHSA-c866-rqmw-mvmh",
"modified": "2026-01-20T15:32:31Z",
"published": "2025-12-18T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64258"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/follow-my-blog-post/vulnerability/wordpress-follow-my-blog-post-plugin-2-3-9-sensitive-data-exposure-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/follow-my-blog-post/vulnerability/wordpress-follow-my-blog-post-plugin-2-3-9-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CGPX-R229-QPVJ
Vulnerability from github – Published: 2024-11-12 21:30 – Updated: 2024-11-12 21:30An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allow an authenticated attacker to access the encrypted passwords of other administrators via the "Log Access Event" logs page.
{
"affected": [],
"aliases": [
"CVE-2024-36509"
],
"database_specific": {
"cwe_ids": [
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T19:15:10Z",
"severity": "MODERATE"
},
"details": "An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allow an authenticated attacker to access the encrypted passwords of other administrators via the \"Log Access Event\" logs page.",
"id": "GHSA-cgpx-r229-qpvj",
"modified": "2024-11-12T21:30:52Z",
"published": "2024-11-12T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36509"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-180"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CH6M-4RG5-6H78
Vulnerability from github – Published: 2026-02-05 15:31 – Updated: 2026-02-05 15:31IBM webMethods Integration (on prem) - Integration Server 10.15 through IS_10.15_Core_Fix2411.1 to IS_11.1_Core_Fix8 IBM webMethods Integration could disclose sensitive user information in server responses.
{
"affected": [],
"aliases": [
"CVE-2025-14150"
],
"database_specific": {
"cwe_ids": [
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-05T14:16:04Z",
"severity": "MODERATE"
},
"details": "IBM webMethods Integration (on prem) - Integration Server 10.15 through IS_10.15_Core_Fix2411.1 to IS_11.1_Core_Fix8 IBM webMethods Integration could disclose sensitive user information in server responses.",
"id": "GHSA-ch6m-4rg5-6h78",
"modified": "2026-02-05T15:31:14Z",
"published": "2026-02-05T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14150"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7259518"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CHJ5-CQ2P-WVFV
Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-18 21:31An information disclosure vulnerability in Kentico Xperience allows authenticated users to view sensitive system objects through the live site widget properties dialog. Attackers can exploit this vulnerability to access unauthorized system information without proper access controls.
{
"affected": [],
"aliases": [
"CVE-2019-25230"
],
"database_specific": {
"cwe_ids": [
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T20:15:49Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability in Kentico Xperience allows authenticated users to view sensitive system objects through the live site widget properties dialog. Attackers can exploit this vulnerability to access unauthorized system information without proper access controls.",
"id": "GHSA-chj5-cq2p-wvfv",
"modified": "2025-12-18T21:31:43Z",
"published": "2025-12-18T21:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25230"
},
{
"type": "WEB",
"url": "https://devnet.kentico.com/download/hotfixes"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/kentico-xperience-user-widget-information-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CHQ4-5285-WPM4
Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-18 21:31An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration information through a public endpoint, potentially exposing internal network details.
{
"affected": [],
"aliases": [
"CVE-2024-58320"
],
"database_specific": {
"cwe_ids": [
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T20:15:53Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration information through a public endpoint, potentially exposing internal network details.",
"id": "GHSA-chq4-5285-wpm4",
"modified": "2025-12-18T21:31:43Z",
"published": "2025-12-18T21:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58320"
},
{
"type": "WEB",
"url": "https://devnet.kentico.com/download/hotfixes"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/kentico-xperience-authentication-information-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CJ66-FMHF-GPQ3
Vulnerability from github – Published: 2025-04-09 09:31 – Updated: 2025-04-09 09:31Information disclosure of authentication information in the specific service vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, a remote unauthenticated attacker may obtain the product authentication information.
{
"affected": [],
"aliases": [
"CVE-2025-27934"
],
"database_specific": {
"cwe_ids": [
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T09:15:17Z",
"severity": "HIGH"
},
"details": "Information disclosure of authentication information in the specific service vulnerability exists in Wi-Fi AP UNIT \u0027AC-WPS-11ac series\u0027. If exploited, a remote unauthenticated attacker may obtain the product authentication information.",
"id": "GHSA-cj66-fmhf-gpq3",
"modified": "2025-04-09T09:31:25Z",
"published": "2025-04-09T09:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27934"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU93925742"
},
{
"type": "WEB",
"url": "https://www.inaba.co.jp/abaniact/news/security_20250404.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CM4W-CGHR-8324
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-04-01 18:36Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Ays Pro Quiz Maker allows Retrieve Embedded Sensitive Data. This issue affects Quiz Maker: from n/a through 6.7.0.61.
{
"affected": [],
"aliases": [
"CVE-2025-58015"
],
"database_specific": {
"cwe_ids": [
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T19:16:03Z",
"severity": "MODERATE"
},
"details": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Ays Pro Quiz Maker allows Retrieve Embedded Sensitive Data. This issue affects Quiz Maker: from n/a through 6.7.0.61.",
"id": "GHSA-cm4w-cghr-8324",
"modified": "2026-04-01T18:36:14Z",
"published": "2025-09-22T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58015"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/quiz-maker/vulnerability/wordpress-quiz-maker-plugin-6-7-0-61-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CQ6J-FWR2-X2RR
Vulnerability from github – Published: 2024-11-26 15:31 – Updated: 2024-11-26 15:31A vulnerability exists in NSD570 that allows any authenticated user to access all device logs disclosing login information with timestamps.
{
"affected": [],
"aliases": [
"CVE-2024-9929"
],
"database_specific": {
"cwe_ids": [
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T14:15:22Z",
"severity": "MODERATE"
},
"details": "A vulnerability exists in NSD570 that allows any authenticated\nuser to access all device logs disclosing login information with\ntimestamps.",
"id": "GHSA-cq6j-fwr2-x2rr",
"modified": "2024-11-26T15:31:03Z",
"published": "2024-11-26T15:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9929"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000173\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs
CAPEC-170: Web Application Fingerprinting
An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
CAPEC-694: System Location Discovery
An adversary collects information about the target system in an attempt to identify the system's geographical location.
Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.