Information Disclosure
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.
How It Works
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.
Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.
The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.
Impact
- Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
- Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
- Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
- Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
- Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures
Real-World Examples
A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.
Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.
Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.
Mitigation
- Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
- Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
- Access control audits: Restrict or remove development artifacts (
.git, backup files,phpinfo()) and internal endpoints before deployment - Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
- Security headers: Deploy
X-Content-Type-Options, remove server version banners, and disable directory indexing - Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity
Recent CVEs (12829)
FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains an information disclosure vulnerability that allows unauthenticated attackers to read arbitrary files through unverified input parameters. [CVSS 6.2 MEDIUM]
An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. [CVSS 8.0 HIGH]
MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal. [CVSS 6.5 MEDIUM]
As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6.
An attacker with a network connection could detect credentials in clear text.
The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials
The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker.
A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. [CVSS 6.1 MEDIUM]
Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal network scanning, and session hijacking. Affects a widely-used Java application server component.
Information disclosure when a weak hashed value is returned to userland code in response to a IOCTL call to obtain a session ID. [CVSS 5.5 MEDIUM]
Cryptographic issue may occur while encrypting license data. [CVSS 8.4 HIGH]
Information disclosure while processing a firmware event. [CVSS 6.1 MEDIUM]
Bigfix Insights For Vulnerability Remediation versions up to 4.2 is affected by information exposure (CVSS 2.2).
The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. [CVSS 8.6 HIGH]
The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an adminis...
On affected platforms running Arista EOS with MACsec configuration, a specially crafted packet can cause the MACsec process to terminate unexpectedly. Continuous receipt of these packets with certain MACsec configurations can cause longer term disruption of dataplane traffic. [CVSS 4.3 MEDIUM]
Bravia Signage contains a vulnerability that allows attackers to access sensitive system details through API endpoints (CVSS 7.5).
RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication. [CVSS 7.5 HIGH]
iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. [CVSS 7.5 HIGH]
QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. [CVSS 7.5 HIGH]
Local attackers can exploit a type confusion vulnerability in iccDEV 2.3.1.1 and earlier during XML curve serialization to cause denial of service or achieve information disclosure. The flaw exists in the CIccSingleSampledeCurveXml class and affects systems using vulnerable versions of the ICC color management library. Public exploit code exists for this vulnerability, though a patch is available in version 2.3.1.2.
Shortcodes and extra features for Phlox theme (WordPress plugin) versions up to 2.17.13 is affected by information exposure (CVSS 5.3).
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifi...
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. [CVSS 5.4 MEDIUM]
Crypt::Sodium::XS for Perl bundles a vulnerable version of libsodium (<= 1.0.20) that has a signature verification flaw. In atypical use cases with custom cryptography, this can compromise data authenticity guarantees. Patch available.
Craft CMS (5.0.0-RC1 through 5.8.20, 3.x through 4.16.16) allows unauthenticated users to trigger database backup operations, leading to resource exhaustion or information disclosure if backups are stored in accessible locations. PoC available, patches available.
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. [CVSS 6.5 MEDIUM]
Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. [CVSS 6.5 MEDIUM]
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. [CVSS 8.1 HIGH]
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Coolify versions up to 4.0.0 contains a vulnerability that allows attackers to a malicious actor to perform an unauthorized email address change on behalf of t (CVSS 5.7).
An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, and 2500. Improper validation of user-space input in the issimian device driver leads to information disclosure and a denial of service. [CVSS 7.1 HIGH]
Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27. [CVSS 7.5 HIGH]
An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface [CVSS 7.5 HIGH]
Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0. [CVSS 7.5 HIGH]
Insertion of Sensitive Information Into Sent Data vulnerability in Awethemes AweBooking allows Retrieve Embedded Sensitive Data.This issue affects AweBooking: from n/a through 3.2.26. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. [CVSS 5.3 MEDIUM]
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. [CVSS 5.3 MEDIUM]
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. [CVSS 5.3 MEDIUM]
AnythingLLM's password recovery endpoint leaks information about valid usernames through differential error messages, enabling account enumeration attacks. Public exploit code exists for this low-complexity network vulnerability that requires no authentication. The issue has been patched as of commit e287fab56089cf8fcea9ba579a3ecdeca0daa313.
A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.This issue affected the nCloud VPN Service and was fixed on 2025-12-1 (December, 2025). End users do not have to take any action to mitigate the issue.
Nuvation Energy MSC through 2.5.1 can be used as an unintended network proxy to bridge security boundaries. An attacker can leverage the controller to access networks that should be isolated, turning the battery controller into a pivot point.
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account. [CVSS 7.1 HIGH]
Pa4 Firmware versions up to 1.12.37-20240124 is affected by cleartext transmission of sensitive information (CVSS 7.5).
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.
Rejected reason: This CVE ID was rejected because it was reserved but not used for a vulnerability disclosure. No vendor patch available.