BaseDraft

CWE-202Exposure of Sensitive Information Through Data Queries

Category: data-exposure

Description

When trying to keep information confidential, an attacker can often infer some of the information by using statistics. In situations where data should not be tied to individual users, but a large number of users should be able to make queries that "scrub" the identity of users, it may be possible to get information about a user -- e.g., by specifying search terms that are known to be unique to that user.

Common consequences· 1

  • Confidentiality — Read Files or Directories, Read Application Data
    Sensitive information may possibly be leaked through data queries accidentally.

Potential mitigations· 1

  • [Architecture and Design]This is a complex topic. See the [REF-1492] for a good discussion of best practices.

References

  1. https://cwe.mitre.org/data/definitions/202.html

(incoming)3

TypeTargetConfidenceTier
VulnerabilityCVE-2025-25205cve-2025-252050%live
VulnerabilityCVE-2025-59352cve-2025-593520%live
VulnerabilityCVE-2025-68456cve-2025-684560%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Exposure of Sensitive Information Due to Incompatible Policies
CWE
Improper Authorization of Index Containing Sensitive Information
CWE
Insecure Storage of Sensitive Information
CWE
Use of HTTP Request With Sensitive Query String
CWE
Exposure of Sensitive Information to an Unauthorized Actor
CWE
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.