CWE-612— Improper Authorization of Index Containing Sensitive Information
The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.— MITRE CWE catalog
12 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-612page 1 of 1
- CVE-2019-25605HIGHCVSS 7.5EG 7.52026-03-22
EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwor…
- CVE-2022-22565MEDIUMCVSS 4.7EG 3.82022-04-12
Dell PowerScale OneFS, versions 9.0.0-9.3.0, contain an improper authorization of index containing sensitive information. An authenticated and privileged user could potentially exploit this vulnerability, leading to disclosure or modificat…
- CVE-2022-35980HIGHCVSS 7.5EG 7.52022-08-12
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch…
- CVE-2022-41918MEDIUMCVSS 6.3EG 6.32022-11-15
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are…
- CVE-2023-2260HIGHCVSS 8.8EG 8.82023-04-24
Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.
- CVE-2023-4560MEDIUMCVSS 6.5EG 6.52023-08-28
Improper Authorization of Index Containing Sensitive Information in GitHub repository omeka/omeka-s prior to 4.0.4.
- CVE-2024-25635HIGHCVSS 8.8EG 8.82024-02-19
alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the `http://192.168.26.128:8080/admin/api/users/<user_id>` en…
- CVE-2024-49071MEDIUMCVSS 6.5EG 6.52024-12-12
Improper authorization of an index that contains sensitive information from a Global Files search in Windows Defender allows an authorized attacker to disclose information over a network.
- CVE-2025-3653HIGHCVSS 7.3EG 7.32026-01-04
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can con…
- CVE-2025-3654MEDIUMCVSS 5.3EG 5.32026-01-04
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device se…
- CVE-2025-3660MEDIUMCVSS 6.5EG 6.52026-01-04
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users' pet data by exploiting missing ownership verification. Attackers can send reques…
- CVE-2025-57756MEDIUMCVSS 5.3EG 5.32025-08-28
Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue…
Map vulnerabilities like CWE-612 to your infrastructure
EchelonGraph correlates every CVE — across CWE-612 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →