Common Weakness Enumeration

CWE-1295

Allowed

Debug Messages Revealing Unnecessary Information

Abstraction: Base · Status: Incomplete

The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.

41 vulnerabilities reference this CWE, most recent first.

GHSA-3FF6-X43R-FCJ7

Vulnerability from github – Published: 2024-02-10 03:30 – Updated: 2024-02-10 03:30
VLAI
Details

Dell BSAFE SSL-J, versions prior to 6.5, and versions 7.0 and 7.1 contain a debug message revealing unnecessary information vulnerability. This may lead to disclosing sensitive information to a locally privileged user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295",
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-10T03:15:07Z",
    "severity": "MODERATE"
  },
  "details": "\nDell BSAFE SSL-J, versions prior to 6.5, and versions 7.0 and 7.1 contain a debug message revealing unnecessary information vulnerability. This may lead to disclosing sensitive information to a locally privileged user. \n\n",
  "id": "GHSA-3ff6-x43r-fcj7",
  "modified": "2024-02-10T03:30:19Z",
  "published": "2024-02-10T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28077"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000214287/dsa-2023-156-dell-bsafe-ssl-j-7-1-1-security-update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-46C3-5XC5-WWHV

Vulnerability from github – Published: 2024-11-15 09:32 – Updated: 2025-01-21 17:59
VLAI
Summary
Apache Airflow: Sensitive configuration values are not masked in the logs by default
Details

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-15T20:35:11Z",
    "nvd_published_at": "2024-11-15T09:15:14Z",
    "severity": "HIGH"
  },
  "details": "Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability.\u00a0If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.",
  "id": "GHSA-46c3-5xc5-wwhv",
  "modified": "2025-01-21T17:59:27Z",
  "published": "2024-11-15T09:32:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45784"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/43040"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-182.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/11/15/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Airflow: Sensitive configuration values are not masked in the logs by default"
}

GHSA-4M2M-3RVH-CP5P

Vulnerability from github – Published: 2026-01-26 12:30 – Updated: 2026-01-27 09:30
VLAI
Details

The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-26T10:16:08Z",
    "severity": "MODERATE"
  },
  "details": "The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).",
  "id": "GHSA-4m2m-3rvh-cp5p",
  "modified": "2026-01-27T09:30:29Z",
  "published": "2026-01-26T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59109"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/dkaccess"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/dormakaba"
    },
    {
      "type": "WEB",
      "url": "https://www.dormakabagroup.com/en/security-advisories"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2026/Jan/24"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6J5X-6P93-F5M6

Vulnerability from github – Published: 2025-04-10 15:31 – Updated: 2025-04-10 15:31
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-10T14:15:27Z",
    "severity": "LOW"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users.",
  "id": "GHSA-6j5x-6p93-f5m6",
  "modified": "2025-04-10T15:31:49Z",
  "published": "2025-04-10T15:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2469"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3030586"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/525374"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6VG5-GH5C-GR5C

Vulnerability from github – Published: 2025-11-18 18:32 – Updated: 2025-11-18 18:32
VLAI
Details

A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to obtain administrator credentials via debug log commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46775"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-18T17:16:01Z",
    "severity": "MODERATE"
  },
  "details": "A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to obtain administrator credentials via debug log commands.",
  "id": "GHSA-6vg5-gh5c-gr5c",
  "modified": "2025-11-18T18:32:53Z",
  "published": "2025-11-18T18:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46775"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-259"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72MH-368W-4Q93

Vulnerability from github – Published: 2025-04-01 06:30 – Updated: 2026-04-01 18:34
VLAI
Details

Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit allows Retrieve Embedded Sensitive Data. This issue affects GTM Kit: from n/a through 2.3.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T06:15:55Z",
    "severity": "HIGH"
  },
  "details": "Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit allows Retrieve Embedded Sensitive Data. This issue affects GTM Kit: from n/a through 2.3.1.",
  "id": "GHSA-72mh-368w-4q93",
  "modified": "2026-04-01T18:34:19Z",
  "published": "2025-04-01T06:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31001"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/gtm-kit/vulnerability/wordpress-gtm-kit-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-85H4-FVWM-CJX7

Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-09-29 21:30
VLAI
Details

Medical Informatics Engineering Enterprise Health includes the user's current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-35031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T20:15:32Z",
    "severity": "MODERATE"
  },
  "details": "Medical Informatics Engineering Enterprise Health includes the user\u0027s current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08.",
  "id": "GHSA-85h4-fvwm-cjx7",
  "modified": "2025-09-29T21:30:26Z",
  "published": "2025-09-29T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35031"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-35031"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9C9R-3PVJ-MX5R

Vulnerability from github – Published: 2024-04-11 21:30 – Updated: 2024-04-11 21:30
VLAI
Details

C300 information leak due to an analysis feature which allows extracting more memory over the network than required by the function. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-11T20:15:09Z",
    "severity": "HIGH"
  },
  "details": "C300 information leak due to an analysis feature which allows extracting more memory over the network than required by the function.\u00a0Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. \n\n",
  "id": "GHSA-9c9r-3pvj-mx5r",
  "modified": "2024-04-11T21:30:50Z",
  "published": "2024-04-11T21:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5392"
    },
    {
      "type": "WEB",
      "url": "https://process.honeywell.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C363-2F5P-C4CV

Vulnerability from github – Published: 2024-11-15 21:30 – Updated: 2024-11-15 21:30
VLAI
Details

A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-15T21:15:06Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options.",
  "id": "GHSA-c363-2f5p-c4cv",
  "modified": "2024-11-15T21:30:47Z",
  "published": "2024-11-15T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11217"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-11217"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2326230"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CH48-9R3Q-PV7X

Vulnerability from github – Published: 2023-06-22 20:01 – Updated: 2023-06-22 20:01
VLAI
Summary
Vaadin vulnerable to possible information disclosure of class and method names in RPC response
Details

Description

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

https://vaadin.com/security/cve-2023-25500

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "2.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "9.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "23.3.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.1.alpha1"
            },
            {
              "fixed": "24.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "14.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "22.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "23.3.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.1.0.alpha1"
            },
            {
              "fixed": "24.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25500"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295",
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-22T20:01:03Z",
    "nvd_published_at": "2023-06-22T13:15:09Z",
    "severity": "LOW"
  },
  "details": "### Description\nPossible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.\n\nhttps://vaadin.com/security/cve-2023-25500",
  "id": "GHSA-ch48-9r3q-pv7x",
  "modified": "2023-06-22T20:01:03Z",
  "published": "2023-06-22T20:01:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/platform/security/advisories/GHSA-ch48-9r3q-pv7x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25500"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow/pull/16935"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vaadin/platform"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2023-25500"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vaadin vulnerable to possible information disclosure of class and method names in RPC response"
}

Mitigation
Implementation

Ensure that a debug message does not reveal any unnecessary information during the debug process for the intended response.

CAPEC-121: Exploit Non-Production Interfaces

An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.