VYPR

CWE-532

Insertion of Sensitive Information into Log File

BaseIncompleteLikelihood: Medium

Description

The product writes sensitive information to a log file.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-215

CVEs mapped to this weakness (485)

page 16 of 25
  • CVE-2025-49846MedJul 3, 2025
    risk 0.20cvss epss 0.00

    wire-ios is an iOS client for the Wire secure messaging application. From Wire iOS 3.111.1 to before 3.124.1, messages that were visible in the view port have been logged to the iOS system logs in clear text. Wire application logs created and managed by the application itself…

  • CVE-2025-0495MedMar 17, 2025
    risk 0.20cvss epss 0.00

    Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured…

  • CVE-2023-6460MedDec 4, 2023
    risk 0.19cvss 4.0epss 0.00

    A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version…

  • CVE-2026-8200LowMay 13, 2026
    risk 0.18cvss 2.7epss 0.00

    When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted.  This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior…

  • CVE-2026-4957LowMar 27, 2026
    risk 0.18cvss 2.7epss 0.00

    A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key Handler. This manipulation of the argument api_key causes sensitive information in log files. The…

  • CVE-2025-20373LowNov 26, 2025
    risk 0.18cvss 2.7epss 0.00

    In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new “Data Security Accounts“. The vulnerability would require either local access to the log files or administrative…

  • CVE-2025-31514LowOct 14, 2025
    risk 0.18cvss 2.7epss 0.00

    A insertion of sensitive information into log file vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.13,…

  • CVE-2025-4234LowSep 12, 2025
    risk 0.16cvss epss 0.00

    A problem with the Palo Alto Networks Cortex XDR Microsoft 365 Defender Pack can result in exposure of user credentials in application logs. Normally, these application logs are only viewable by local users and are included when generating logs for troubleshooting purposes. This…

  • CVE-2025-52580LowJul 22, 2025
    risk 0.16cvss 2.4epss 0.00

    Insertion of sensitive information into log file issue exists in "region PAY" App for Android prior to 1.5.28. If exploited, sensitive user information may be exposed to an attacker who has access to the application logs.

  • CVE-2018-1350LowMar 26, 2018
    risk 0.15cvss 2.3epss 0.01

    The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details that could aid in system enumeration.

  • CVE-2018-1349LowMar 26, 2018
    risk 0.15cvss 2.3epss 0.01

    The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details that could aid in system or configuration enumeration.

  • CVE-2026-25211LowJan 30, 2026
    risk 0.14cvss 3.2epss 0.00

    Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.

  • CVE-2025-24034LowJan 23, 2025
    risk 0.14cvss 3.2epss 0.00

    Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Starting in version 0.7.0 and prior to versions 0.7.15 and 0.8.3, Himmelblau is vulnerable to leaking credentials in debug logs. When debug logging is enabled, user access tokens are inadvertently…

  • CVE-2026-29184LowMar 7, 2026
    risk 0.13cvss 2.0epss 0.00

    Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4.

  • CVE-2025-43423LowNov 4, 2025
    risk 0.13cvss 2.0epss 0.00

    A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Tahoe 26.1, visionOS 26.1. An attacker with physical access to an unlocked device paired with a Mac may be able…

  • CVE-2024-12057LowDec 9, 2024
    risk 0.12cvss epss 0.00

    User credentials (login & password) are inserted into log files when a user tries to authenticate using a version of a Web client that is not compatible with that of the PcVue Web back end. By exploiting this vulnerability, an attacker could retrieve the credentials of a user by…

  • CVE-2016-2943LowNov 30, 2016
    risk 0.12cvss 1.9epss 0.00

    IBM BigFix Remote Control before 9.1.3 allows local users to obtain sensitive information by leveraging unspecified privileges to read a log file.

  • CVE-2025-54781LowAug 2, 2025
    risk 0.11cvss 2.8epss 0.00

    Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. When debugging is enabled for Himmelblau in version 1.0.0, the himmelblaud_tasks service leaks an Intune service access token to the system journal. This short-lived token can be used to detect the…

  • CVE-2025-55285LowAug 15, 2025
    risk 0.10cvss 2.6epss 0.00

    @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{…

  • CVE-2026-44969lowMay 14, 2026
    risk 0.07cvss epss 0.00

    *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DbtMCP.call_tool()` in `src/dbt_mcp/mcp/server.py` logs the complete raw `arguments` dictionary at `INFO` level on every tool invocation (line…