Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-497 (将系统数据暴露到未授权控制的范围) — Vulnerability Class 291

291 vulnerabilities classified as CWE-497 (将系统数据暴露到未授权控制的范围). AI Chinese analysis included.

CWE-497 represents a critical information disclosure weakness where software inadvertently exposes sensitive system-level details to unauthorized external entities. This vulnerability typically arises when network-facing applications, such as web servers, fail to sanitize error messages or headers, allowing attackers to glean valuable intelligence about the underlying operating system, database versions, or server configurations. Exploitation often involves analyzing verbose error responses or specific network packets to identify known vulnerabilities in the exposed software stack, facilitating targeted attacks like remote code execution. To mitigate this risk, developers must implement strict error handling protocols that return generic, user-friendly messages instead of detailed stack traces. Additionally, configuring web servers to suppress version information in headers and employing robust input validation ensures that internal system architecture remains obscured from potential adversaries, thereby reducing the attack surface significantly.

MITRE CWE Description
The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. Network-based products, such as web applications, often run on top of an operating system or similar environment. When the product communicates with outside parties, details about the underlying system are expected to remain hidden, such as path names for data files, other OS users, installed packages, the application environment, etc. This system information may be provided by the product itself, or buried within diagnostic or debugging messages. Debugging information helps an adversary learn about the system and form an attack plan. An information exposure occurs when system data or debugging information leaves the program through an output stream or logging function that makes it accessible to unauthorized parties. Using other weaknesses, an attacker could cause errors to occur; the response to these errors can reveal detailed system information, along with other impacts. An attacker can use messages that reveal technologies, operating systems, and product versions to tune the attack against known vulnerabilities in these technologies. A product may use diagnostic methods that provide significant implementation details such as stack traces as part of its error handling mechanism.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (1)
Architecture and Design, ImplementationProduction applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs
Examples (2)
The following code prints the path environment variable to the standard error stream:
char* path = getenv("PATH"); ... sprintf(stderr, "cannot find exe on path %s\n", path);
Bad · C
This code prints all of the running processes belonging to the current user.
//assume getCurrentUser() returns a username that is guaranteed to be alphanumeric (avoiding CWE-78) $userName = getCurrentUser(); $command = 'ps aux | grep ' . $userName; system($command);
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2025-62114 WordPress Download Media Library plugin <= 0.2.1 - Sensitive Data Exposure vulnerability — Download Media Library 5.3 Medium2025-12-31
CVE-2025-69026 WordPress PopupKit plugin <= 2.1.5 - Sensitive Data Exposure vulnerability — PopupKit 4.3 Medium2025-12-30
CVE-2025-69025 WordPress Poptics plugin <= 1.0.20 - Sensitive Data Exposure vulnerability — Poptics 4.3 Medium2025-12-30
CVE-2025-68988 WordPress E-Invoice App Malaysia plugin <= 1.3.0 - Sensitive Data Exposure vulnerability — E-Invoice App Malaysia 5.3 Medium2025-12-30
CVE-2025-36229 Exposure of Sensitive System Information to an Unauthorized Control Sphere in IBM Aspera Faspex — Aspera Faspex 5 3.1 Low2025-12-26
CVE-2025-68943 Gitea 安全漏洞 — Gitea 5.3 Medium2025-12-26
CVE-2025-68606 WordPress PostX plugin <= 5.0.3 - Sensitive Data Exposure vulnerability — PostX 5.3 Medium2025-12-24
CVE-2025-68576 WordPress Virusdie plugin <= 1.1.6 - Sensitive Data Exposure vulnerability — Virusdie 4.3 Medium2025-12-24
CVE-2025-67621 WordPress Eight Day Week Print Workflow plugin <= 1.2.5 - Sensitive Data Exposure vulnerability — Eight Day Week Print Workflow 4.3 Medium2025-12-24
CVE-2025-68494 WordPress Premium Addons for Elementor plugin <= 4.11.53 - Sensitive Data Exposure vulnerability — Premium Addons for Elementor 5.3 Medium2025-12-24
CVE-2025-68551 WordPress VPSUForm plugin <= 3.2.24 - Sensitive Data Exposure vulnerability — VPSUForm 6.5 Medium2025-12-23
CVE-2025-11545 Sharp NP series 安全漏洞 — NP-PA1705UL-W, NP-PA1705UL-W+, NP-PA1705UL-B, NP-PA1705UL-B+, NP-PA1505UL-W, NP-PA1505UL-W+, NP-PA1505UL-B, NP-PA1505UL-B+, NP-PA1505UL-BJL NP-PV800UL-W, NP-PV800UL-W+, NP-PV800UL-B, NP-PV800UL-B+, NP-PV710UL-W, NP-PV710UL-W+, NP-PV710UL-B, NP-PV710UL-B+, NP-PV800UL-W1, NP-PV800UL-B1, NP-PV710UL-W1, NP-PV710UL-B1, NP-PV800UL-B1G, NP-PV710UL-B1G, NP-PV800UL-WH, NP-PV710UL-WH, NP-P627UL, NP-P627ULG, NP-P627UL+, NP-P547UL, NP-P547ULG, NP-P607UL+, NP-CG6600UL, NP-H6271UL, NP-H5471UL, NP-P627ULH, NP-P547ULH NP-PV710UL+ NP-PA1004UL-W, NP-PA1004UL-WG, NP-PA1004UL-W+, NP-PA1004UL-WH, NP-PA1004UL-B, NP-PA1004UL-BG, NP-PA1004UL-B+, NP-PA804UL-W, NP-PA804UL-WG, NP-PA804UL-W+, NP-PA804UL-WH, NP-PA804UL-B, NP-PA804UL-BG, NP-PA804UL-B+, NP-PA1004UL-BH, NP-PA804UL-BH, NP-PE455UL, NP-PE455ULG, NP-PE455WL, NP-PE455WLG, NP-PE505XLG, NP-CG6500XL, NP-CG6400UL, NP-CG6400WL, NP-CB4500XL, NP-CA4120X, NP-CA4160W, NP-CA4160X, NP-CA4200U, NP-CA4200W, NP-CA4202W, NP-CA4260X, NP-CA4300X, NP-CA4355X, NP-CD2100U, NP-CD2120X, NP-CD2300X, NP-CR2100X, NP-CR2170W, NP-CR2170X, NP-CR2200U, NP-CR2200W, NP-CR2280X, NP-CR2310X, NP-CR2350X, NP-MC302XG, NP-MC332WG, NP-MC342XG, NP-MC372X, NP-MC372XG, NP-MC382W, NP-MC382WG, NP-MC422XG, NP-ME342UG, NP-ME372W, NP-ME372WG, NP-ME382U, NP-ME382UG, NP-ME402X, NP-ME402XG NP-CU4300XD, NP-CU4200XD, NP-CU4200WD, NP-UM383WL, NP-UM383WLG, NP-CJ2200WD, NP-PH3501QL, NP-PH3501QL+, NP-PH2601QL, NP-PH2601QL+, NP-PH350Q40L, NP-PH260Q30L, NP-PX1005QL-W, NP-PX1005QL-B, NP-PX1005QL-B+, NP-P525UL, NP-P525ULG, NP-P525UL+, NP-P525WL, NP-P525WLG, NP-P525WL+, NP-P605UL, NP-P605ULG, NP-P605UL+ 9.1AICriticalAI2025-12-22
CVE-2025-62955 WordPress TempTool [Show Current Template Info] plugin <= 1.3.1 - Sensitive Data Exposure vulnerability — TempTool [Show Current Template Info] 4.3 Medium2025-12-21
CVE-2024-58320 Kentico Xperience <= 13.0.159 Authentication Information Disclosure — Xperience 5.3 Medium2025-12-18
CVE-2019-25230 Kentico Xperience <= 12.0.0 User Widget Information Disclosure — Xperience 4.3 Medium2025-12-18
CVE-2019-25228 Kentico Xperience <= 12.0.47 Virtual Context Information Disclosure — Xperience 5.3 Medium2025-12-18
CVE-2025-67546 WordPress WP ERP plugin <= 1.16.6 - Sensitive Data Exposure vulnerability — WP ERP 6.5 Medium2025-12-18
CVE-2025-64270 WordPress Masteriyo - LMS plugin <= 2.0.3 - Sensitive Data Exposure vulnerability — Masteriyo - LMS 6.5 Medium2025-12-18
CVE-2025-64272 WordPress Email marketing for WordPress by GetResponse Official plugin <= 1.5.3 - Sensitive Data Exposure vulnerability — Email marketing for WordPress by GetResponse Official 6.5 Medium2025-12-18
CVE-2025-64258 WordPress Follow My Blog Post plugin <= 2.3.9 - Sensitive Data Exposure vulnerability — Follow My Blog Post 7.5 High2025-12-18
CVE-2025-49914 WordPress Restaurant Menu by MotoPress plugin <= 2.4.7 - Sensitive Data Exposure vulnerability — Restaurant Menu by MotoPress 6.5 Medium2025-12-18
CVE-2025-47319 Exposure of Sensitive System Information to an Unauthorized Control Sphere in HLOS — Snapdragon 6.7 Medium2025-12-18
CVE-2025-34442 AVideo < 20.1 System Path Disclosure via Public API — AVideo 5.3AIMediumAI2025-12-17
CVE-2025-67948 WordPress SendPulse Email Marketing Newsletter plugin <= 2.2.1 - Sensitive Data Exposure vulnerability — SendPulse Email Marketing Newsletter 4.3 Medium2025-12-16
CVE-2025-14712 JHENG GAO|Student Learning Assessment and Support System - Exposure of Sensitive Information — Student Learning Assessment and Support System 7.5 High2025-12-15
CVE-2025-67717 Zitadel Discloses the Total Number of Instance Users — zitadel 4.3AIMediumAI2025-12-11
CVE-2025-63070 WordPress Download Manager plugin <= 3.3.32 - Sensitive Data Exposure vulnerability — Download Manager 4.3 Medium2025-12-09
CVE-2025-63058 WordPress Custom Field Template plugin <= 2.7.6 - Sensitive Data Exposure vulnerability — Custom Field Template 4.3 Medium2025-12-09
CVE-2025-63013 WordPress WP Hotel Booking plugin <= 2.2.7 - Sensitive Data Exposure vulnerability — WP Hotel Booking 4.3 Medium2025-12-09
CVE-2025-63009 WordPress WP Google Analytics Events plugin <= 2.8.2 - Sensitive Data Exposure vulnerability — WP Google Analytics Events 5.3 Medium2025-12-09

Vulnerabilities classified as CWE-497 (将系统数据暴露到未授权控制的范围) represent 291 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.