VYPR

CWE-209

Generation of Error Message Containing Sensitive Information

BaseDraftLikelihood: High

Description

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-215 · CAPEC-463 · CAPEC-54 · CAPEC-7

CVEs mapped to this weakness (189)

page 10 of 10
  • CVE-2020-11883Apr 17, 2020
    risk 0.00cvss epss 0.15

    In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names.

  • CVE-2020-5274Mar 30, 2020
    risk 0.00cvss epss 0.01

    In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the…

  • CVE-2019-16768Dec 5, 2019
    risk 0.00cvss epss 0.01

    In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may…

  • CVE-2019-5483Sep 9, 2019
    risk 0.00cvss epss 0.01

    Seneca < 3.9.0 contains a vulnerability that could lead to exposing environment variables to unauthorized users.

  • CVE-2019-14433Aug 9, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response, and…

  • CVE-2019-1020013Jul 29, 2019
    risk 0.00cvss epss 0.01

    parse-server before 3.6.0 allows account enumeration.

  • CVE-2019-7644Apr 11, 2019
    risk 0.00cvss epss 0.02

    Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable…

  • CVE-2018-14623Dec 13, 2018
    risk 0.00cvss epss 0.01

    A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version…

  • CVE-2000-1191Aug 31, 2001
    risk 0.00cvss epss 0.03

    htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and earlier allows remote attackers to determine the physical path of the server by requesting a non-existent configuration file using the config parameter, which generates an error message that includes the full path.