Information Disclosure
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.
How It Works
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.
Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.
The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.
Impact
- Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
- Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
- Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
- Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
- Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures
Real-World Examples
A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.
Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.
Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.
Mitigation
- Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
- Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
- Access control audits: Restrict or remove development artifacts (
.git, backup files,phpinfo()) and internal endpoints before deployment - Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
- Security headers: Deploy
X-Content-Type-Options, remove server version banners, and disable directory indexing - Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity
Recent CVEs (13721)
MicroDicom DICOM Viewer version 2024.03 fails to adequately verify the update server's certificate, which could make it possible for attackers in a privileged network position to alter network. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Local File Inclusion (LFI) vulnerability exists in the /load-workflow endpoint of modelscope/agentscope version v0.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A sensitive information disclosure vulnerability in the Tenda W18E V16.01.0.8(1625) web management portal allows an unauthenticated remote attacker to retrieve sensitive configuration information,. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
wandb/openui latest commit c945bb859979659add5f490a874140ad17c56a5d contains a vulnerability where unauthenticated endpoints allow file uploads and downloads from an AWS S3 bucket. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Hickory DNS is a Rust based DNS client, server, and resolver. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability classified as problematic has been found in GNU Binutils 2.43. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A vulnerability was found in GNU Binutils 2.43. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A vulnerability was found in GNU Binutils 2.43. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
In the Linux kernel, the following vulnerability has been resolved: cachestat: fix page cache statistics permission checking When the 'cachestat()' system call was added in commit cf264e1329fb. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: vfio/platform: check the bounds of read/write syscalls count and offset are passed from user space and not checked, only offset is. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Initialize denominator defaults to 1 [WHAT & HOW] Variables, used as denominators and maybe not assigned to other. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in GNU Binutils 2.43. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A vulnerability exists in the VideONet product included in the listed System 800xA versions, where VideONet is used. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.
Improper host validation in the certificate validation component in Devolutions Remote Desktop Manager on 2024.3.19 and earlier on Windows allows an attacker to intercept and modify encrypted. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
Missing certificate validation in Devolutions Remote Desktop Manager on macOS, iOS, Android, Linux allows an attacker to intercept and modify encrypted communications via a man-in-the-middle attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This vulnerability exists in Tapo C500 Wi-Fi camera due to hard-coded RSA private key embedded within the device firmware. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() The following call-chain leads to enabling interrupts in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
A vulnerability classified as problematic was found in RT-Thread up to 5.1.0. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
An issue in Brainasoft Braina v2.8 allows a remote attacker to obtain sensitive information via the chat window function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.
pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Directory Traversal in File Upload in Gleamtech FileVista 9.2.0.0 allows remote attackers to achieve Code Execution, Information Disclosure, and Escalation of Privileges via injecting malicious. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in AudioCodes Mediant Session Border Controller (SBC) before 7.40A.501.841. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in AudioCodes One Voice Operations Center (OVOC) before 8.4.582. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in AudioCodes One Voice Operations Center (OVOC) before 8.4.582. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unverified password change vulnerability in Janto, versions prior to r12. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zankover Fami Sales Popup allows PHP Local File Inclusion.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Builder Shortcode Extras - WordPress Shortcodes Collection to Save You Time plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dell Update Manager Plugin, version(s) 1.5.0 through 1.6.0, contain(s) an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.
Multiple Elber products suffer from an unauthenticated device configuration and client-side hidden functionality disclosure. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Microsoft Edge (Chromium-based) Spoofing Vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Microsoft Edge (Chromium-based) Spoofing Vulnerability. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Microsoft Edge for IOS and Android Spoofing Vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability classified as problematic was found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
The mstatus register in RSD commit 3d13a updates incorrectly, leading to processing errors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in Bharti Airtel Xstream Fiber up to 20250123. Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.
IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
An issue in Smartcom Bulgaria AD Smartcom Ralink CPE/WiFi router SAM-4G1G-TT-W-VC, SAM-4F1F-TT-W-A1 allows a remote attacker to obtain sensitive information via the Weak default WiFi password. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.
2N Access Commander version 2.1 and prior is vulnerable in default settings to Man In The Middle attack due to not verifying certificates of 2N edge devices. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Successful exploitation of this vulnerability could allow an attacker (who needs to have Admin access privileges) to read hardcoded AES passphrase, which may be used for decryption of certain data. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
Specifically crafted payloads sent to the RFID reader could cause DoS of RFID reader. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Using API in the 2N OS device, authorized user can enable logging, which discloses valid authentication tokens in system log. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h suffers from Cleartext Transmission of Sensitive Information due to lack of encryption in device-server communication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allow a malicious user to gain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h is vulnerable to MITM attack. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability has been found in AppHouseKitchen AlDente Charge Limiter up to 1.29 on macOS and classified as critical. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
An SQL injection vulnerability in the pjActionGetUser function of PHPJabbers Cinema Booking System v2.0 allows attackers to manipulate database queries via the column parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the Vault API functionality of ClearML Enterprise Server 3.22.5-1533. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Kaspersky has fixed a security issue in Kaspersky Anti-Virus SDK for Windows, Kaspersky Security for Virtualization Light Agent, Kaspersky Endpoint Security for Windows, Kaspersky Small Office. Rated medium severity (CVSS 5.3). No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
In rare scenarios, the cpca process on the Security Management Server / Domain Management Server may exit unexpectedly, creating a core dump file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Vulnerability of incomplete verification information in the VPN service module Impact: Successful exploitation of this vulnerability may affect availability. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Input verification vulnerability in the ExternalStorageProvider module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Use-After-Free (UAF) vulnerability in the display module Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.
Out-of-bounds array read vulnerability in the FFRT module Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Vulnerability of improper log information control in the UI framework module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Identity verification vulnerability in the ParamWatcher module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Unprotected Windows messaging channel ('Shatter') issue exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
IBM ApplinX 11.1 stores sensitive information in cleartext in memory that could be obtained by an authenticated user. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM ApplinX 11.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM ApplinX 11.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
IBM Aspera Shares 1.9.0 through 1.10.0 PL6 could allow an attacker to spoof their IP address, which is written to log files, due to improper verification of 'Client-IP' headers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the driver of the NDD Print solution, which could allow an unprivileged user to exploit this flaw and gain SYSTEM-level. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
When URL categorization is configured on a virtual server, undisclosed requests can cause TMM to terminate. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When BIG-IP Next Central Manager is running, undisclosed requests to the BIG-IP Next Central Manager API can cause the BIG-IP Next Central Manager Node's Kubernetes service to terminate. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When users log in through the webUI or API using local authentication, BIG-IP Next Central Manager may log sensitive information in the pgaudit log files. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
When BIG-IP PEM Control Plane listener Virtual Server is configured with Diameter Endpoint profile, undisclosed traffic can cause the Virtual Server to stop processing new client connections and an. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When SIP Session and Router ALG profiles are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When SNMP v1 or v2c are disabled on the BIG-IP, undisclosed requests can cause an increase in memory resource utilization. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Simple Network Management Protocol (SNMP) polling for Cisco Secure Email and Web Manager, Cisco Secure Email Gateway, and Cisco Secure Web Appliance could allow an authenticated,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in a policy-based Cisco Application Visibility and Control (AVC) implementation of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.