Information Disclosure
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.
How It Works
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.
Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.
The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.
Impact
- Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
- Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
- Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
- Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
- Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures
Real-World Examples
A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.
Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.
Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.
Mitigation
- Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
- Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
- Access control audits: Restrict or remove development artifacts (
.git, backup files,phpinfo()) and internal endpoints before deployment - Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
- Security headers: Deploy
X-Content-Type-Options, remove server version banners, and disable directory indexing - Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity
Recent CVEs (13172)
CVE-2025-3260 is an authorization bypass vulnerability in Grafana's dashboard API endpoints (/apis/dashboard.grafana.app/*) that allows authenticated users to circumvent dashboard and folder permission controls across all API versions (v0alpha1, v1alpha1, v2alpha1). Affected users with viewer or editor roles can access, modify, or delete dashboards and folders they should not have permission to interact with, while organization isolation boundaries and datasource access controls remain unaffected. With a CVSS score of 8.3 and requiring only low-privilege authentication, this represents a significant risk to multi-tenant Grafana deployments and requires immediate patching.
A vulnerability was found in Multilaser Sirius RE016 MLT1.0. It has been rated as problematic. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-0325 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
A low privileged attacker can set the date of the devices to the 19th of January 2038 an therefore exceed the 32-Bit time limit. This causes the date of the switch to be set back to January 1st, 1970.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
setDeferredReply in networking.c in Valkey through 8.1.1 has an integer underflow for prev->size - prev->used.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 4.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
Critical improper access control vulnerability in Mist Community Edition's API Token Handler (create_token function) that allows unauthenticated remote attackers to manipulate token generation. Affected versions up to 4.7.1 are vulnerable; the vulnerability has been publicly disclosed with exploitation techniques available, and upgrading to version 4.7.2 provides the necessary fix. The CVSS 7.3 score reflects medium-to-high severity with potential for confidentiality, integrity, and availability impact.
File modification via 2-args open in YAML-LibYAML before 0.903.0 for Perl. PoC and patch available.
IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.
IBM InfoSphere Information Server 11.7 stores credential information for database authentication in a cleartext parameter file that could be viewed by an authenticated user.
A vulnerability, which was classified as critical, was found in JeeWMS up to 20250504. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability, which was classified as critical, has been found in JeeWMS up to 20250504. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability classified as critical has been found in JeeWMS up to 20250504. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
An improper permission handling vulnerability was reported in Lenovo PC Manager that could allow a local attacker to perform arbitrary file deletions as an elevated user. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.
An untrusted search path vulnerability was reported in Lenovo PC Manager that could allow a local attacker to elevate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable, low attack complexity.
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a COM hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a DLL hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.
Due to outdated Hash algorithm, HCL Glovius Cloud could allow attackers to guess the input data using brute-force or dictionary attacks efficiently using modern hardware such as GPUs or ASICs. Rated medium severity (CVSS 6.8). No vendor patch available.
An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Android based smartphones from vendors such as Ulefone and Krüger&Matz contain "com.pri.factorytest" application preloaded onto devices during manufacturing process. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was found in systemd-coredump. Rated medium severity (CVSS 4.7). Public exploit code available and no vendor patch available.
Perl threads have a working directory race condition where file operations may target unintended paths. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability exists in the media upload component of the Asset Suite versions listed below. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The web portal on airpointer 2.4.107-2 was vulnerable local file inclusion. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity.
Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
jhead v3.08 was discovered to contain a heap-use-after-free via the ProcessFile function at jhead.c. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Tinxy WiFi Lock Controller v1 RF was discovered to store users' sensitive information, including credentials and mobile phone numbers, in plaintext. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Tinxy WiFi Lock Controller v1 RF was discovered to transmit sensitive information in plaintext, including control information and device credentials, allowing attackers to possibly intercept and. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
The CS5000 Fire Panel is vulnerable due to a default account that exists on the panel. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Santesoft Sante DICOM Viewer Pro contains a memory corruption vulnerability. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A permissions issue was addressed with additional restrictions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A logging issue was addressed with improved data redaction. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
This issue was addressed with improved validation of symlinks. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability has been found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Discourse Policy plugin gives the ability to confirm users have seen or done something. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability, which was classified as problematic, was found in TechPowerUp GPU-Z 2.23.0. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.
Dell ThinOS 2502 and prior contain a Cleartext Storage of Sensitive Information vulnerability. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability, which was classified as problematic, has been found in fossasia open-event-server 1.19.1.py of the component Mail Verification Handler. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable.
vLLM is an inference and serving engine for large language models (LLMs). Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() If bio_add_folio() fails (because it is full),. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort() Commit fce886a60207 ("KVM: arm64: Plumb the pKVM MMU in KVM"). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.
In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
In the Linux kernel, the following vulnerability has been resolved: can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe The spin lock tx_handling_spinlock in struct. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
APTIOV contains a vulnerability in BIOS where an attacker may cause an Improper Input Validation locally. Rated medium severity (CVSS 5.8). No vendor patch available.
An authenticated user can disclose the cleartext password of a configured SMTP server via an HTTP GET request to the /config.php endpoint. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An unauthenticated HTTP GET request to the /client.php endpoint will disclose the default administrator user credentials. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity.
In Teltonika Networks Remote Management System (RMS), it is possible to perform account pre-hijacking by misusing the invite functionality. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
All versions of the package mcp-markdownify-server are vulnerable to Files or Directories Accessible to External Parties via the get-markdown-file tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules allows a remote unauthenticated attacker to read. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before & after v.11.1.25134.03 inserts Sensitive Information into Sent Data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Netwrix Directory Manager (formerly Imanami GroupID) before and including v.11.0.0.0 and after v.11.1.25134.03 has Incorrect Permission Assignment for a Critical Resource. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The TeleMessage service through 2025-05-05 relies on MD5 for password hashing, which opens up various attack possibilities (including rainbow tables) with low computational effort. Rated low severity (CVSS 3.2), this vulnerability is no authentication required. No vendor patch available.