Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-202 (通过数据查询的敏感数据暴露) — Vulnerability Class 25

25 vulnerabilities classified as CWE-202 (通过数据查询的敏感数据暴露). AI Chinese analysis included.

CWE-202 represents a statistical inference weakness where attackers deduce sensitive individual data from aggregated query results. This vulnerability typically arises when systems return summary statistics or counts without sufficient noise or differential privacy mechanisms. Attackers exploit this by crafting specific, unique search terms or iterative queries that isolate individual records from the broader dataset, effectively stripping away anonymity. For instance, querying for rare attributes can reveal the existence or details of a specific user. To mitigate this risk, developers must implement robust access controls and apply statistical disclosure control techniques, such as adding random noise to results or enforcing minimum threshold requirements for data release. Ensuring that queries cannot uniquely identify individuals through statistical correlation is essential for maintaining confidentiality in data-intensive applications.

MITRE CWE Description
When trying to keep information confidential, an attacker can often infer some of the information by using statistics. In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.
Common Consequences (1)
ConfidentialityRead Files or Directories, Read Application Data
Sensitive information may possibly be leaked through data queries accidentally.
Mitigations (1)
Architecture and DesignThis is a complex topic. See the [REF-1492] for a good discussion of best practices.
CVE IDTitleCVSSSeverityPublished
CVE-2026-30778 Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. — Apache SkyWalking 7.5 -2026-04-15
CVE-2026-33530 InvenTree Vulnerable to ORM Filter Injection — InvenTree 7.7 High2026-03-26
CVE-2026-3546 e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action — e-shot 5.3 Medium2026-03-21
CVE-2026-25050 Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy — vendure 3.7AILowAI2026-01-30
CVE-2025-64528 Users are able to find users by name even when `enable_names` is off — discourse 5.3 -2025-12-30
CVE-2025-69200 phpMyFAQ has unauthenticated config backup download via /api/setup/backup — phpMyFAQ 7.5 High2025-12-29
CVE-2025-64504 Langfuse vulnerable to cross‑organization enumeration of member & invitation lists via project membership APIs — langfuse 5.0 Medium2025-11-10
CVE-2025-59352 Dragonfly allows arbitrary file read and write on a peer machine — dragonfly 8.8AIHighAI2025-09-17
CVE-2025-36575 Dell Wyse Management Suite WMS 安全漏洞 — Wyse Management Suite 7.5 High2025-06-10
CVE-2025-29981 Dell Wyse Management Suite 安全漏洞 — Wyse Management Suite 7.5 High2025-04-02
CVE-2025-25205 Remote Authentication-Bypass can lead to server crash or limited information disclosure due to faulty pattern matching — audiobookshelf 8.2 High2025-02-12
CVE-2024-13255 RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019 — RESTful Web Services 5.3 -2025-01-09
CVE-2024-20388 Cisco Firepower Management Center 安全漏洞 — Cisco Firepower Management Center 5.3 Medium2024-10-23
CVE-2024-2088 NextScripts: Social Networks Auto-Poster <= 4.4.3 - Authenticated(Subscriber+) Sensitive Information Exposure — NextScripts: Social Networks Auto-Poster 8.5 High2024-05-22
CVE-2023-7072 Post Grid Combo – 36+ Gutenberg Blocks <= 2.2.68 - Information Exposure via get_posts API Endpoint — Post Grid 7.5 High2024-03-12
CVE-2023-1625 Information leak in api — openstack-heat 7.4 High2023-09-24
CVE-2023-20215 Cisco Secure Web Appliance 安全漏洞 — Cisco Secure Web Appliance 5.8 Medium2023-08-03
CVE-2023-0785 SourceCodester Best Online News Portal check_availability.php information exposure — Best Online News Portal 3.7 Low2023-02-12
CVE-2022-41623 WordPress ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium plugin <= 1.1.0 - Sensitive Data Exposure vulnerability — ALD - AliExpress Dropshipping and Fulfillment for WooCommerce (WordPress plugin) 7.5 High2022-10-14
CVE-2022-20810 Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family SNMP Information Disclosure Vulnerability — Cisco IOS XE Software 6.5 Medium2022-09-30
CVE-2021-4159 Linux kernel 安全漏洞 — kernel 5.5 -2022-08-24
CVE-2022-20747 Cisco SD-WAN vManage Software Information Disclosure Vulnerability — Cisco SD-WAN vManage 6.5 Medium2022-04-15
CVE-2021-34782 Cisco DNA Center Information Disclosure Vulnerability — Cisco Digital Network Architecture Center (DNA Center) 4.3 Medium2021-10-06
CVE-2021-32743 Passwords used to access external services inadvertently exposed through API — icinga2 8.8 High2021-07-15
CVE-2021-1372 Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows Shared Memory Information Disclosure Vulnerability — Cisco Webex Productivity Tools 5.5 Medium2021-02-17

Vulnerabilities classified as CWE-202 (通过数据查询的敏感数据暴露) represent 25 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.