Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CWE-201 (通过发送数据的信息暴露) — Vulnerability Class 333

333 vulnerabilities classified as CWE-201 (通过发送数据的信息暴露). AI Chinese analysis included.

CWE-201 represents an information exposure weakness where software inadvertently transmits sensitive data to unauthorized external actors. This vulnerability typically arises when developers fail to sanitize output streams, allowing credentials, personal identifiable information, or internal system states to leak through network logs, error messages, or API responses. Attackers exploit this by intercepting traffic or analyzing server-side feedback to harvest critical secrets, facilitating further unauthorized access or identity theft. To mitigate this risk, developers must implement strict data filtering and validation protocols before transmission. Utilizing secure logging frameworks that mask sensitive fields, employing encryption for data in transit, and conducting regular code reviews to identify accidental data leaks are essential practices. Ensuring that only necessary, non-sensitive information is shared with external entities significantly reduces the attack surface and protects user privacy.

MITRE CWE Description
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Common Consequences (1)
ConfidentialityRead Files or Directories, Read Memory, Read Application Data
Sensitive data may be exposed to attackers.
Mitigations (4)
RequirementsSpecify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.
ImplementationEnsure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.
System ConfigurationSetup default error messages so that unexpected errors do not disclose sensitive information.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Examples (1)
The following is an actual MySQL error statement:
Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4
Result · SQL
CVE IDTitleCVSSSeverityPublished
CVE-2024-13276 File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040 — File Entity (fieldable files) 7.1 -2025-01-09
CVE-2024-13269 Advanced Varnish - Moderately critical - Access bypass - SA-CONTRIB-2024-033 — Advanced Varnish 9.1 -2025-01-09
CVE-2024-13259 Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023 — Image Sizes 9.1 -2025-01-09
CVE-2024-13254 REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018 — REST Views 5.3 -2025-01-09
CVE-2024-56300 WordPress Post/Page Copying Tool plugin <= 2.0.0 - Sensitive Data Exposure vulnerability — Post/Page Copying Tool 7.5 High2025-01-07
CVE-2025-22303 WordPress WP Mailster plugin <= 1.8.17.0 - Sensitive Data Exposure vulnerability — WP Mailster 5.3 Medium2025-01-07
CVE-2024-54309 WordPress PostBox plugin <= 1.0.4 - Sensitive Data Exposure vulnerability — PostBox 6.5 Medium2024-12-13
CVE-2024-53804 WordPress WP Mailster plugin <= 1.8.16.0 - Sensitive Data Exposure vulnerability — WP Mailster 7.5 High2024-12-06
CVE-2021-1425 Cisco Cisco Email Security Appliance and Content Security Management Appliance Information Disclosure Vulnerability — Cisco Secure Email and Web Manager 4.3 Medium2024-11-18
CVE-2024-3502 Exposure of Sensitive Information in lunary-ai/lunary — lunary-ai/lunary 6.5 -2024-11-14
CVE-2024-50378 Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli — Apache Airflow 6.5 -2024-11-08
CVE-2024-49235 WordPress Contact Forms, Live Support, CRM, Video Messages plugin <= 1.10.2 - Sensitive Data Exposure vulnerability — Contact Forms, Live Support, CRM, Video Messages 7.5 High2024-10-17
CVE-2024-6747 Information leak in mknotifyd — Checkmk 5.3 Medium2024-10-10
CVE-2024-43814 goTenna Pro ATAK Plugin Insertion of Sensitive Information Into Sent Data — Pro ATAK Plugin 4.3 Medium2024-09-26
CVE-2024-41931 goTenna Pro ATAK Plugin Insertion of Sensitive Information Into Sent Data — Pro ATAK Plugin 4.3 Medium2024-09-26
CVE-2024-47128 Insertion of Sensitive Information Into Sent Data in goTenna Pro — Pro 4.3 Medium2024-09-26
CVE-2024-8890 Insertion of Sensitive Information Into Sent Data vulnerability on CIRCUTOR Q-SMT — CIRCUTOR Q-SMT 8.0 High2024-09-18
CVE-2024-7698 Phoenix Contact: Access to CSRF tokens of higher privileged users in MGUARD products — FL MGUARD 2102 5.7 Medium2024-09-10
CVE-2024-6586 Lightdash 安全漏洞 — Lightdash 7.2 -2024-08-30
CVE-2024-43230 WordPress Shared Files – Premium Download Manager & Secure File Sharing with Frontend File Upload plugin <= 1.7.28 - Sensitive Data Exposure vulnerability — Shared Files 5.3 Medium2024-08-26
CVE-2024-43259 WordPress Order Export for WooCommerce plugin <= 3.23 - Sensitive Data Exposure vulnerability — Order Export for WooCommerce 5.3 Medium2024-08-26
CVE-2024-43264 WordPress Create by Mediavine plugin <= 1.9.8 - Sensitive Data Exposure vulnerability — Create by Mediavine 5.3 Medium2024-08-26
CVE-2024-43283 WordPress Contest Gallery plugin <= 23.1.2 - Unauthenticated Comment UserID And IP address Disclosure vulnerability — Contest Gallery 5.3 Medium2024-08-26
CVE-2024-38787 WordPress Import and export users and customers plugin <= 1.26.8 - Sensitive Information via Imported File vulnerability — Import and export users and customers 7.5 High2024-08-13
CVE-2024-31200 Plug and Track Sensor Net Connect 安全漏洞 — Sensor Net Connect V2 4.2 Medium2024-07-31
CVE-2024-7205 sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user — eWeLink Cloud Service 8.8AIHighAI2024-07-31
CVE-2024-38372 Undici vulnerable to data leak when using response.arrayBuffer() — undici 2.0 Low2024-07-08
CVE-2024-39315 Pomerium exposed OAuth2 access and ID tokens in user info endpoint response — pomerium 5.7 Medium2024-07-02
CVE-2024-5213 Exposure of Sensitive Information in mintplex-labs/anything-llm — mintplex-labs/anything-llm 7.5AIHighAI2024-06-20
CVE-2024-35189 Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides — fides 6.5 Medium2024-05-30

Vulnerabilities classified as CWE-201 (通过发送数据的信息暴露) represent 333 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.