CWE-1295
Debug Messages Revealing Unnecessary Information
BaseIncomplete
Description
The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-121
CVEs mapped to this weakness (8)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-38516 | Hig | 0.50 | 8.8 | 0.00 | Jun 25, 2024 | ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22. | |
| CVE-2025-31001 | Hig | 0.49 | 7.5 | 0.00 | Apr 1, 2025 | Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit gtm-kit allows Retrieve Embedded Sensitive Data.This issue affects GTM Kit: from n/a through <= 2.4.0. | |
| CVE-2023-5392 | Hig | 0.49 | 7.5 | 0.00 | Apr 11, 2024 | C300 information leak due to an analysis feature which allows extracting more memory over the network than required by the function. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. | |
| CVE-2025-42604 | Med | 0.45 | — | 0.01 | Apr 23, 2025 | This vulnerability exists in Meon KYC solutions due to debug mode is enabled in certain API endpoints. A remote attacker could exploit this vulnerability by accessing certain unauthorized API endpoints leading to detailed error messages as response leading to disclosure of system related information. | |
| CVE-2025-2877 | Med | 0.42 | 6.5 | 0.00 | Mar 28, 2025 | A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a rulebook and also affects Event Streams. | |
| CVE-2025-59109 | Med | 0.33 | — | 0.00 | Jan 26, 2026 | The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi). | |
| CVE-2024-11217 | Med | 0.32 | 4.9 | 0.00 | Nov 15, 2024 | A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options. | |
| CVE-2024-27179 | Med | 0.31 | 4.7 | 0.00 | Jun 14, 2024 | Admin cookies are written in clear-text in logs. An attacker can retrieve them and bypass the authentication mechanism. As for the affected products/models/versions, see the reference URL. |