CVEbaza.plSłownik CWECWE-612
Common Weakness Enumeration

CWE-612

Improper Authorization of Index Containing Sensitive Information

Kategoria: BaseCVE: 11
Opis

Produkt tworzy indeks wyszukiwania dla prywatnych lub poufnych dokumentów, ale nie ogranicza prawidłowo dostępu do indeksu dla użytkowników uprawnionych do przeglądania oryginalnych informacji. Może to prowadzić do nieautoryzowanego ujawnienia wrażliwych danych poprzez funkcjonalność wyszukiwania.

Description (EN)

The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.

Podatności CVE z CWE-612 (11)
8.8
CVSS
HIGH
CVE-2024-25635

alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the `http://192.168.26.128:8080/admin/api/users/<user_id>` endpoint, which exposes the details of the provided user ID. This may also expose the API KEY in the username of the user. Version 2.0-M4-2402 fixes this issue.

pub. 2024-02-19
8.7
CVSS
HIGH
CVE-2019-25605

EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials.

pub. 2026-03-22
7.5
CVSS
HIGH
CVE-2022-35980

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. OpenSearch 2.2.0, which is compatible with OpenSearch Security 2.2.0.0, contains the fix for this issue. There is no recommended work around.

pub. 2022-08-12
6.9
CVSS
MEDIUM
CVE-2025-3653

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device control APIs to change feeding schedules, trigger manual feeds, access camera feeds, and modify device settings without authorization checks.

pub. 2026-01-04
6.9
CVSS
MEDIUM
CVE-2025-3654

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelation/getBoundDevices using pet IDs, enabling full device control without proper authorization checks.

pub. 2026-01-04
6.9
CVSS
MEDIUM
CVE-2025-3660

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users' pet data by exploiting missing ownership verification. Attackers can send requests to /member/pet/detailV2 with arbitrary pet IDs to retrieve sensitive information including pet details, member IDs, and avatar URLs without proper authorization checks.

pub. 2026-01-04
6.5
CVSS
MEDIUM
CVE-2024-49071

Improper authorization of an index that contains sensitive information from a Global Files search in Windows Defender allows an authorized attacker to disclose information over a network.

pub. 2024-12-12
6.5
CVSS
MEDIUM
CVE-2023-4560

Improper Authorization of Index Containing Sensitive Information in GitHub repository omeka/omeka-s prior to 4.0.4.

pub. 2023-08-28
6.3
CVSS
MEDIUM
CVE-2022-41918

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.

pub. 2022-11-15
5.3
CVSS
MEDIUM
CVE-2025-57756

Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search.

pub. 2025-08-28
4.7
CVSS
MEDIUM
CVE-2022-22565

Dell PowerScale OneFS, versions 9.0.0-9.3.0, contain an improper authorization of index containing sensitive information. An authenticated and privileged user could potentially exploit this vulnerability, leading to disclosure or modification of sensitive data.

pub. 2022-04-12
Informacje
ID: CWE-612
Typ: Base
Podatności: 11
MITRE CWE ↗
← Słownik CWE