VYPR

CWE-532

Insertion of Sensitive Information into Log File

BaseIncompleteLikelihood: Medium

Description

The product writes sensitive information to a log file.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-215

CVEs mapped to this weakness (485)

page 7 of 25
  • CVE-2018-3817MedMar 30, 2018
    risk 0.42cvss 6.5epss 0.01

    When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.

  • CVE-2018-7204HigMar 7, 2018
    risk 0.42cvss 7.5epss 0.03

    inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If a user edits the wp-config.php file using this plugin, the wp-config.php contents get added to log.txt, which is not…

  • CVE-2018-2372MedFeb 14, 2018
    risk 0.42cvss 6.5epss 0.01

    A plain keystore password is written to a system log file in SAP HANA Extended Application Services, 1.0, which could endanger confidentiality of SSL communication.

  • CVE-2017-11134MedAug 1, 2017
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android. The login credentials are written into a log file on the device. Hence, an attacker with access to the logs can read them.

  • CVE-2017-3744MedJun 20, 2017
    risk 0.42cvss 6.5epss 0.01

    In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear…

  • CVE-2016-10362MedJun 16, 2017
    risk 0.42cvss 6.5epss 0.01

    Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials.

  • CVE-2016-6799HigMay 9, 2017
    risk 0.42cvss 7.5epss 0.03

    Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB…

  • CVE-2025-54319MedJul 20, 2025
    risk 0.41cvss 6.3epss 0.00

    An issue was discovered in Westermo WeOS 5 (5.24 through 5.24.4). A threat actor potentially can gain unauthorized access to sensitive information via system logging information (syslog verbose logging that includes credentials).

  • CVE-2025-24389MedJan 27, 2025
    risk 0.41cvss 6.3epss 0.00

    Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) Community Edition log mechanism and mails send to the system administrator. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS))…

  • CVE-2018-1000089HigMar 13, 2018
    risk 0.41cvss 7.4epss 0.01

    Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you…

  • CVE-2026-6720HigMay 28, 2026
    risk 0.40cvss epss 0.00

    When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig…

  • CVE-2019-25683MedApr 5, 2026
    risk 0.40cvss 6.2epss 0.00

    FileZilla 3.40.0 contains a denial of service vulnerability in the local search functionality that allows local attackers to crash the application by supplying a malformed path string. Attackers can trigger the crash by entering a crafted path containing 384 'A' characters…

  • CVE-2025-6624HigJun 26, 2025
    risk 0.40cvss 7.2epss 0.00

    Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI…

  • CVE-2024-27154MedJun 14, 2024
    risk 0.40cvss 6.2epss 0.00

    Passwords are stored in clear-text logs. An attacker can retrieve passwords. As for the affected products/models/versions, see the reference URL.

  • CVE-2017-5137MedFeb 5, 2017
    risk 0.40cvss 6.2epss 0.01

    An issue was discovered on SendQuick Entera and Avera devices before 2HF16. An attacker could request and download the SMS logs from an unauthenticated perspective.

  • CVE-2025-2002MedMar 12, 2025
    risk 0.39cvss 6.0epss 0.00

    CWE-532: Insertion of Sensitive Information into Log Files vulnerability exists that could cause the disclosure of FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an administrative user and the debug files are exported from the…

  • CVE-2025-24362HigJan 24, 2025
    risk 0.39cvss epss 0.01

    In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to…

  • CVE-2018-10855MedJul 3, 2018
    risk 0.39cvss 5.9epss 0.03

    Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in…

  • CVE-2018-8719MedApr 4, 2018
    risk 0.39cvss 5.3epss 0.16

    An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information.

  • CVE-2026-7824MedMay 5, 2026
    risk 0.38cvss epss 0.00

    An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" (diagnostic) mode is enabled, the application inadvertently records administrative credentials in plain text within the log files. An attacker with administrative access to the…