CVE-2018-7251
Description
An issue was discovered in config/error.php in Anchor 0.12.3. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error (such as "Too many connections") has occurred.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Anchor CMS 0.12.3 exposes error logs at errors.log, leaking MySQL credentials after database errors.
Vulnerability
In Anchor CMS 0.12.3, the file config/error.php writes error logs to errors.log. This log file is accessible via the web at the /errors.log URI without authentication. When a MySQL error occurs (e.g., "Too many connections"), the error message includes the MySQL connection credentials, leading to exposure of the database username and password.
Exploitation
An attacker can exploit this by accessing the /errors.log endpoint on the affected Anchor CMS installation. If a MySQL error has been triggered (either by normal usage or by deliberately causing a database connection issue), the log file will contain the MySQL credentials. No authentication is required to read the log file.
Impact
Successful exploitation results in the disclosure of MySQL database credentials. An attacker with these credentials can connect to the database, potentially reading, modifying, or deleting data. This can lead to full compromise of the CMS data and underlying server if the database user has sufficient privileges.
Mitigation
The Anchor CMS project is no longer maintained ([3]). No official patch or fix has been released for CVE-2018-7251. The recommended workaround is to remove or restrict access to the errors.log file, or disable error logging entirely. As discussed in the GitHub issue ([4]), the error log should not be publicly accessible.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
anchorcms/anchor-cmsPackagist | < 0.12.7 | 0.12.7 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-hxcw-pqqc-rv85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-7251ghsaADVISORY
- packetstormsecurity.com/files/154723/Anchor-CMS-0.12.3a-Information-Disclosure.htmlghsax_refsource_MISCWEB
- www.andmp.com/2018/02/advisory-assigned-CVE-2018-7251-in-anchorcms.htmlghsax_refsource_MISCWEB
- github.com/anchorcms/anchor-cms/issues/1247ghsax_refsource_MISCWEB
- github.com/anchorcms/anchor-cms/releases/tag/0.12.7ghsax_refsource_CONFIRMWEB
- twitter.com/finnwea/status/965279233030393856ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.