Common Weakness Enumeration

CWE-201

Allowed

Insertion of Sensitive Information Into Sent Data

Abstraction: Base · Status: Draft

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

673 vulnerabilities reference this CWE, most recent first.

GHSA-PXWX-C9G9-PM9P

Vulnerability from github – Published: 2025-12-18 18:30 – Updated: 2025-12-18 18:30
VLAI
Details

In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T16:15:52Z",
    "severity": "MODERATE"
  },
  "details": "In deployments using the ScreenConnect\u2122 Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.",
  "id": "GHSA-pxwx-c9g9-pm9p",
  "modified": "2025-12-18T18:30:30Z",
  "published": "2025-12-18T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14823"
    },
    {
      "type": "WEB",
      "url": "https://www.connectwise.com/company/trust/security-bulletins/2025-12-18-screenconnect-certificate-signing-extension-update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q393-QCVF-86Q5

Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-13 21:30
VLAI
Details

Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal the-tech-tribe allows Retrieve Embedded Sensitive Data.This issue affects The Tribal: from n/a through <= 1.3.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-39709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T09:16:43Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal the-tech-tribe allows Retrieve Embedded Sensitive Data.This issue affects The Tribal: from n/a through \u003c= 1.3.4.",
  "id": "GHSA-q393-qcvf-86q5",
  "modified": "2026-04-13T21:30:36Z",
  "published": "2026-04-08T09:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39709"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/the-tech-tribe/vulnerability/wordpress-the-tribal-plugin-1-3-4-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3W6-Q3HC-C5X6

Vulnerability from github – Published: 2026-05-27 22:51 – Updated: 2026-05-27 22:51
VLAI
Summary
FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations
Details

Summary

The GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled is enabled.

Details

File: server/api/projects/index.js

prjApp.get("/api/project", secureFnc, function(req, res) {
    const permission = checkGroupsFnc(req);
    runtime.project.getProject(req.userId, permission).then(result => {
        if (result) {
            res.json(result);
        }
    });
});

The endpoint uses the secureFnc middleware, but this middleware calls verifyToken in server/api/jwt-helper.js which auto-generates a valid guest JWT when no token is provided (line 49-51):

if (!token) {
    token = getGuestToken();
}

The guest token is signed with the server's secret and passes verification. The handler then calls getProject which returns the full project data. The _filterProjectPermission function (line 924 of server/runtime/project/index.js) filters some UI elements for non-admin users, but it does not remove scripts, devices, alarms, or other sensitive configuration data.

PoC

Environment

  • FUXA v1.3.0-2773 (frangoteam/fuxa:latest)
  • secureEnabled: true with a random secretCode

Retrieve full project data without authentication:

curl -s http://192.168.32.129:1881/api/project
{
  "scripts": [
    {
      "id": "SCRIPT_ID",
      "name": "calculate"
    },
  ]
}

No authentication token, API key, or cookie was provided. The response includes:

  • Server-side scripts: full source code, IDs, names, execution mode, and permission levels. This reveals internal automation logic and sensitive project structure information that could assist further attacks against the deployed system.
  • Device configurations: and communication endpoint information may also be exposed depending on the deployed project configuration.
  • HMI views: the full SVG content and layout of every operator screen, including variable bindings that map UI elements to device tags.
  • Alarm definitions: alarm thresholds, conditions, and notification settings when configured.

Impact

The endpoint may expose sensitive project configuration data including script metadata, device connection information, HMI configuration, and alarm definitions. In industrial environments this information can assist further targeted attacks against the deployed system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fuxa-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.3.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T22:51:18Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled is enabled.\n\n### Details\n\nFile: `server/api/projects/index.js`\n\n```javascript\nprjApp.get(\"/api/project\", secureFnc, function(req, res) {\n    const permission = checkGroupsFnc(req);\n    runtime.project.getProject(req.userId, permission).then(result =\u003e {\n        if (result) {\n            res.json(result);\n        }\n    });\n});\n```\n\nThe endpoint uses the `secureFnc` middleware, but this middleware calls `verifyToken` in `server/api/jwt-helper.js` which auto-generates a valid guest JWT when no token is provided (line 49-51):\n\n```javascript\nif (!token) {\n    token = getGuestToken();\n}\n```\n\nThe guest token is signed with the server\u0027s secret and passes verification. The handler then calls `getProject` which returns the full project data. The `_filterProjectPermission` function (line 924 of `server/runtime/project/index.js`) filters some UI elements for non-admin users, but it does not remove scripts, devices, alarms, or other sensitive configuration data.\n\n### PoC\n\n**Environment**\n\n- FUXA v1.3.0-2773 (`frangoteam/fuxa:latest`)\n- `secureEnabled: true` with a random `secretCode`\n\n**Retrieve full project data without authentication:**\n\n```bash\ncurl -s http://192.168.32.129:1881/api/project\n```\n\n```json\n{\n  \"scripts\": [\n    {\n      \"id\": \"SCRIPT_ID\",\n      \"name\": \"calculate\"\n    },\n  ]\n}\n```\n\nNo authentication token, API key, or cookie was provided. The response includes:\n\n- **Server-side scripts**: full source code, IDs, names, execution mode, and permission levels. This reveals internal automation logic and sensitive project structure information that could assist further attacks against the deployed system.\n- **Device configurations**: and communication endpoint information may also be exposed depending on the deployed project configuration.\n- **HMI views**: the full SVG content and layout of every operator screen, including variable bindings that map UI elements to device tags.\n- **Alarm definitions**: alarm thresholds, conditions, and notification settings when configured.\n\n### Impact\n\nThe endpoint may expose sensitive project configuration data including script metadata, device connection information, HMI configuration, and alarm definitions. In industrial environments this information can assist further targeted attacks against the deployed system.",
  "id": "GHSA-q3w6-q3hc-c5x6",
  "modified": "2026-05-27T22:51:18Z",
  "published": "2026-05-27T22:51:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-q3w6-q3hc-c5x6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/frangoteam/FUXA"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FUXA\u0027s Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations"
}

GHSA-Q6X4-WV79-P5W4

Vulnerability from github – Published: 2026-04-27 09:34 – Updated: 2026-04-27 09:34
VLAI
Details

Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-27T09:16:02Z",
    "severity": "HIGH"
  },
  "details": "Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.",
  "id": "GHSA-q6x4-wv79-p5w4",
  "modified": "2026-04-27T09:34:39Z",
  "published": "2026-04-27T09:34:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42379"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-6-1-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q747-C74M-69PR

Vulnerability from github – Published: 2025-11-03 20:12 – Updated: 2025-11-04 22:16
VLAI
Summary
MantisBT lacks verification when changing a user's email address
Details

When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user.

Impact

This could result in storing an invalid email address, preventing the user from receiving system notifications.

Notifications sent to another person's email address could lead to information disclosure.

Patches

Fixed in 2.27.2.

Workarounds

None

Credits

Thanks to @ncrcs for discovering and reporting the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mantisbt/mantisbt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.27.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201",
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-03T20:12:18Z",
    "nvd_published_at": "2025-11-04T21:15:39Z",
    "severity": "MODERATE"
  },
  "details": "When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user.\n\n### Impact\nThis could result in storing an invalid email address, preventing the user from receiving system notifications.\n\nNotifications sent to another person\u0027s email address could lead to information disclosure.\n\n### Patches\nFixed in 2.27.2.\n\n### Workarounds\nNone\n\n### Credits\n\nThanks to @ncrcs for discovering and reporting the issue.",
  "id": "GHSA-q747-c74m-69pr",
  "modified": "2025-11-04T22:16:29Z",
  "published": "2025-11-03T20:12:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55155"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4f22e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mantisbt/mantisbt"
    },
    {
      "type": "WEB",
      "url": "https://mantisbt.org/bugs/view.php?id=36005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MantisBT lacks verification when changing a user\u0027s email address"
}

GHSA-QFFJ-HQP2-QRXM

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-10 18:31
VLAI
Details

Insertion of Sensitive Information Into Sent Data vulnerability in Drupal Image Sizes allows Forceful Browsing.This issue affects Image Sizes: from 0.0.0 before 3.0.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T19:15:19Z",
    "severity": "HIGH"
  },
  "details": "Insertion of Sensitive Information Into Sent Data vulnerability in Drupal Image Sizes allows Forceful Browsing.This issue affects Image Sizes: from 0.0.0 before 3.0.2.",
  "id": "GHSA-qffj-hqp2-qrxm",
  "modified": "2025-01-10T18:31:39Z",
  "published": "2025-01-09T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13259"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2024-023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QGX5-262M-999P

Vulnerability from github – Published: 2025-04-02 06:30 – Updated: 2025-04-02 06:30
VLAI
Details

AssetView and AssetView CLOUD contain an issue with acquiring sensitive information from sent data to the developer. If exploited, sensitive information may be obtained by a remote unauthenticated attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-02T04:15:35Z",
    "severity": "MODERATE"
  },
  "details": "AssetView and AssetView CLOUD contain an issue with acquiring sensitive information from sent data to the developer. If exploited, sensitive information may be obtained by a remote unauthenticated attacker.",
  "id": "GHSA-qgx5-262m-999p",
  "modified": "2025-04-02T06:30:49Z",
  "published": "2025-04-02T06:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27244"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN26321838"
    },
    {
      "type": "WEB",
      "url": "https://www.hammock.jp/assetview/info/250325.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJV9-CQ4H-7C4J

Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-21 00:00
VLAI
Details

A CSRF token visible in the URL may possibly lead to information disclosure vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-12T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A CSRF token visible in the URL may possibly lead to information disclosure vulnerability.",
  "id": "GHSA-qjv9-cq4h-7c4j",
  "modified": "2022-04-21T00:00:52Z",
  "published": "2022-04-13T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27671"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3130497"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QPPC-993H-86QQ

Vulnerability from github – Published: 2026-01-05 12:30 – Updated: 2026-04-01 18:36
VLAI
Details

Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-05T11:17:41Z",
    "severity": "HIGH"
  },
  "details": "Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0.",
  "id": "GHSA-qppc-993h-86qq",
  "modified": "2026-04-01T18:36:31Z",
  "published": "2026-01-05T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68033"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/custom-related-posts/vulnerability/wordpress-custom-related-posts-plugin-1-8-0-sensitive-data-exposure-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/wordpress/plugin/custom-related-posts/vulnerability/wordpress-custom-related-posts-plugin-1-8-0-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ2R-6J4W-49QC

Vulnerability from github – Published: 2025-05-28 18:33 – Updated: 2025-05-28 21:30
VLAI
Details

Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before & after v.11.1.25134.03 inserts Sensitive Information into Sent Data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-28T18:15:27Z",
    "severity": "CRITICAL"
  },
  "details": "Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before \u0026 after v.11.1.25134.03 inserts Sensitive Information into Sent Data.",
  "id": "GHSA-qq2r-6j4w-49qc",
  "modified": "2025-05-28T21:30:37Z",
  "published": "2025-05-28T18:33:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48749"
    },
    {
      "type": "WEB",
      "url": "https://community.netwrix.com/t/adv-2025-014-critical-vulnerabilities-in-netwrix-directory-manager-formerly-imanami-groupid-v11/13951"
    },
    {
      "type": "WEB",
      "url": "https://netwrix.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.

Mitigation
Implementation

Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.

Mitigation
System Configuration

Setup default error messages so that unexpected errors do not disclose sensitive information.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-12: Choosing Message Identifier

This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.

CAPEC-217: Exploiting Incorrectly Configured SSL/TLS

An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.

CAPEC-612: WiFi MAC Address Tracking

In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses. These addresses are intended to be unique to each wireless device (although they can be configured and changed by software). Once the attacker is able to associate a MAC address with a particular user or set of users (for example, when attending a public event), the attacker can then scan for that MAC address to track that user in the future.

CAPEC-613: WiFi SSID Tracking

In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future.

CAPEC-618: Cellular Broadcast Message Request

In this attack scenario, the attacker uses knowledge of the target’s mobile phone number (i.e., the number associated with the SIM used in the retransmission device) to cause the cellular network to send broadcast messages to alert the mobile device. Since the network knows which cell tower the target’s mobile device is attached to, the broadcast messages are only sent in the Location Area Code (LAC) where the target is currently located. By triggering the cellular broadcast message and then listening for the presence or absence of that message, an attacker could verify that the target is in (or not in) a given location.

CAPEC-619: Signal Strength Tracking

In this attack scenario, the attacker passively monitors the signal strength of the target’s cellular RF signal or WiFi RF signal and uses the strength of the signal (with directional antennas and/or from multiple listening points at once) to identify the source location of the signal. Obtaining the signal of the target can be accomplished through multiple techniques such as through Cellular Broadcast Message Request or through the use of IMSI Tracking or WiFi MAC Address Tracking.

CAPEC-621: Analysis of Packet Timing and Sizes

An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actual data may be encrypted, this metadata may reveal valuable information to an attacker. Note that this attack is applicable to VOIP data as well as application data, especially for interactive apps that require precise timing and low-latency (e.g. thin-clients).

CAPEC-622: Electromagnetic Side-Channel Attack

In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unintentional side-effect of its processing. From these emanations, the attacker derives information about the data that is being processed (e.g. the attacker can recover cryptographic keys by monitoring emanations associated with cryptographic processing). This style of attack requires proximal access to the device, however attacks have been demonstrated at public conferences that work at distances of up to 10-15 feet. There have not been any significant studies to determine the maximum practical distance for such attacks. Since the attack is passive, it is nearly impossible to detect and the targeted device will continue to operate as normal after a successful attack.

CAPEC-623: Compromising Emanations Attack

Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.