CWE-209
Generation of Error Message Containing Sensitive Information
Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-215 · CAPEC-463 · CAPEC-54 · CAPEC-7
CVEs mapped to this weakness (189)
page 10 of 10| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-11883 | — | 0.00 | — | 0.15 | Apr 17, 2020 | In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names. | ||
| CVE-2020-5274 | 0.00 | — | 0.01 | Mar 30, 2020 | In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the… | |||
| CVE-2019-16768 | 0.00 | — | 0.01 | Dec 5, 2019 | In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may… | |||
| CVE-2019-5483 | — | 0.00 | — | 0.01 | Sep 9, 2019 | Seneca < 3.9.0 contains a vulnerability that could lead to exposing environment variables to unauthorized users. | ||
| CVE-2019-14433 | — | 0.00 | — | 0.02 | Aug 9, 2019 | An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response, and… | ||
| CVE-2019-1020013 | 0.00 | — | 0.01 | Jul 29, 2019 | parse-server before 3.6.0 allows account enumeration. | |||
| CVE-2019-7644 | 0.00 | — | 0.02 | Apr 11, 2019 | Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable… | |||
| CVE-2018-14623 | 0.00 | — | 0.01 | Dec 13, 2018 | A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version… | |||
| CVE-2000-1191 | 0.00 | — | 0.03 | Aug 31, 2001 | htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and earlier allows remote attackers to determine the physical path of the server by requesting a non-existent configuration file using the config parameter, which generates an error message that includes the full path. |
- CVE-2020-11883Apr 17, 2020risk 0.00cvss —epss 0.15
In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names.
- CVE-2020-5274Mar 30, 2020risk 0.00cvss —epss 0.01
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the…
- CVE-2019-16768Dec 5, 2019risk 0.00cvss —epss 0.01
In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may…
- CVE-2019-5483Sep 9, 2019risk 0.00cvss —epss 0.01
Seneca < 3.9.0 contains a vulnerability that could lead to exposing environment variables to unauthorized users.
- CVE-2019-14433Aug 9, 2019risk 0.00cvss —epss 0.02
An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response, and…
- CVE-2019-1020013Jul 29, 2019risk 0.00cvss —epss 0.01
parse-server before 3.6.0 allows account enumeration.
- CVE-2019-7644Apr 11, 2019risk 0.00cvss —epss 0.02
Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable…
- CVE-2018-14623Dec 13, 2018risk 0.00cvss —epss 0.01
A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version…
- CVE-2000-1191Aug 31, 2001risk 0.00cvss —epss 0.03
htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and earlier allows remote attackers to determine the physical path of the server by requesting a non-existent configuration file using the config parameter, which generates an error message that includes the full path.