CWE-209
Generation of Error Message Containing Sensitive Information
BaseDraftLikelihood: High
Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-215 · CAPEC-463 · CAPEC-54 · CAPEC-7
CVEs mapped to this weakness (65)
page 4 of 4| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-35232 | Low | 0.17 | 3.7 | 0.00 | May 24, 2024 | github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. access_token can be exposed in error message on fail in HTTP request. This issue has been patched in version 2.7.2. | |
| CVE-2025-55250 | Low | 0.12 | 1.8 | 0.00 | Jan 19, 2026 | HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. | |
| CVE-2010-3332 | 0.10 | — | 0.84 | Sep 22, 2010 | Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability." | ||
| CVE-2023-40457 | 0.00 | — | 0.00 | Nov 11, 2024 | The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is "evaluating support for RFC 7606 as a future feature" and believes that "customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks." | ||
| CVE-2000-1191 | 0.00 | — | 0.01 | Aug 31, 2001 | htsearch program in htDig 3.2 beta, 3.1.6, 3.1.5, and earlier allows remote attackers to determine the physical path of the server by requesting a non-existent configuration file using the config parameter, which generates an error message that includes the full path. |