CWE-209
AllowedGeneration of Error Message Containing Sensitive Information
Abstraction: Base · Status: Draft
The product generates an error message that includes sensitive information about its environment, users, or associated data.
833 vulnerabilities reference this CWE, most recent first.
GHSA-F4X9-GW7P-923P
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10In SapphireIMS 4097_1, it is possible to guess the registered/active usernames of the software from the errors it gives out for each type of user on the Login form. For "Incorrect User" - it gives an error "The application failed to identify the user. Please contact administrator for help." For "Correct User and Incorrect Password" - it gives an error "Authentication failed. Please login again."
{
"affected": [],
"aliases": [
"CVE-2017-16629"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-11T21:15:00Z",
"severity": "HIGH"
},
"details": "In SapphireIMS 4097_1, it is possible to guess the registered/active usernames of the software from the errors it gives out for each type of user on the Login form. For \"Incorrect User\" - it gives an error \"The application failed to identify the user. Please contact administrator for help.\" For \"Correct User and Incorrect Password\" - it gives an error \"Authentication failed. Please login again.\"",
"id": "GHSA-f4x9-gw7p-923p",
"modified": "2022-05-24T19:10:39Z",
"published": "2022-05-24T19:10:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16629"
},
{
"type": "WEB",
"url": "https://vuln.shellcoder.party/2020/07/18/cve-2017-16629-sapphireims-login-page-information-disclosure"
},
{
"type": "WEB",
"url": "https://vuln.shellcoder.party/tags/sapphireims"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F5PP-PMQ8-GP46
Vulnerability from github – Published: 2024-05-20 16:51 – Updated: 2024-05-20 16:51Passbolt uses three cookies: a session cookie, a CSRF protection cookie and a cookie to keep track of the multiple-factor authentication process.
Both the session cookie and the mfa cookie are properly set HTTP-only to prevent an attacker from retrieving the content of those cookies if they managed to exploit an XSS.
The /auth/verify.json endpoint returns a JSON that, among other things, contains the cookies sent in the request. (similar to the TRACE HTTP method)
An attacker who manages to leverage an XSS vulnerability could retrieve the session cookies of a legitimate user, effectively granting them the ability to retrieve information (such as encrypted password list or group list) without requiring user interaction.
This vulnerability has a low impact, but no immediate risk due to it requiring the exploitation of an XSS vulnerability that has yet to be found.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "passbolt/passbolt_api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-20T16:51:24Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Passbolt uses three cookies: a session cookie, a CSRF protection cookie and a cookie to keep track of the multiple-factor authentication process.\n\nBoth the session cookie and the mfa cookie are properly set HTTP-only to prevent an attacker from retrieving the content of those cookies if they managed to exploit an XSS.\n\nThe /auth/verify.json endpoint returns a JSON that, among other things, contains the cookies sent in the request. (similar to the TRACE HTTP method)\n\nAn attacker who manages to leverage an XSS vulnerability could retrieve the session cookies of a legitimate user, effectively granting them the ability to retrieve information (such as encrypted password list or group list) without requiring user interaction.\n\nThis vulnerability has a low impact, but no immediate risk due to it requiring the exploitation of an XSS vulnerability that has yet to be found.",
"id": "GHSA-f5pp-pmq8-gp46",
"modified": "2024-05-20T16:51:24Z",
"published": "2024-05-20T16:51:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/passbolt/passbolt_api/commit/fbf99fed4b60db5fec97b58a2251a04bb42c1b15"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/passbolt/passbolt_api/2019-02-11-2.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/passbolt/passbolt_api"
},
{
"type": "WEB",
"url": "https://www.passbolt.com/incidents/20190211_multiple_vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Passbolt Api Retrieval of HTTP-only cookies"
}
GHSA-F5V8-V6Q3-Q4H6
Vulnerability from github – Published: 2026-04-16 22:50 – Updated: 2026-04-16 22:50Summary
Meridian v2.1.0 (Meridian.Mapping and Meridian.Mediator) shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps are silently bypassed on the IMapper.Map(source, destination) overload and anywhere .UseDestinationValue() is configured on a collection-typed property. Four are MEDIUM (constructor invariant bypass, OpenTelemetry stack-trace info disclosure, retry amplification, notification fan-out amplification). Three are LOW (exception message disclosure, dictionary duplicate-key echo, static mediator cache growth under closed-generic types).
All nine are patched in v2.1.1. Upgrade is a drop-in NuGet bump; see the v2.1.1 CHANGELOG for the four behavioural changes (constructor selection, OTel default, publisher fan-out cap, retry caps).
Severity Matrix
| # | Severity | CWE | Finding | Fix |
|---|---|---|---|---|
| 1 | HIGH | CWE-770 | MappingEngine.TryMapCollectionOntoExisting enumerated the source without enforcing DefaultMaxCollectionItems. Reachable via Mapper.Map<TSrc,TDst>(src, dst) and any .ForMember(..., o => o.UseDestinationValue()) on a collection member through a plain Map(src) call. |
Shared cap enforcement helper between MapCollection and TryMapCollectionOntoExisting. |
| 2 | HIGH | CWE-674 | Collection-item recursion in the existing-destination path did not increment ResolutionContext.Depth, so self-referential collection graphs could reach stack overflow before DefaultMaxDepth fired. |
Depth increments at every collection-item boundary. |
| 3 | MEDIUM | CWE-665 | ObjectCreator.CreateWithConstructorMapping always invoked the widest public constructor, silently filling unresolved parameters with default(T) and bypassing narrower-ctor invariants. |
Widest-ctor selection now requires every parameter to be bound via explicit ctor mapping, source-name match, or a C# optional default. |
| 4 | MEDIUM | CWE-532 | Mediator.MarkActivityFailure emitted the full ex.ToString() (stack + inner chain) to the OpenTelemetry exception.stacktrace activity tag by default, leaking context to any shared trace sink. |
Gated on MediatorTelemetryOptions.RecordExceptionStackTrace — opt-in, default false. |
| 5 | MEDIUM | CWE-400 | RetryBehavior retried every exception type with unbounded MaxRetries; the exponential-backoff delay overflowed TimeSpan at ~30 attempts. No cancellation exclusion. |
Server-side MaxRetriesCap = 10, MaxBackoff = 5 min, OperationCanceledException short-circuit, recommended RetryPolicy.TransientOnly helper. |
| 6 | MEDIUM | CWE-400 | TaskWhenAllPublisher started every registered handler concurrently with no bound on fan-out. |
New constructor parameter maxDegreeOfParallelism (default 16; -1 restores legacy unbounded). |
| 7 | LOW | CWE-209 | Public mapping exceptions leaked FullName of source/destination types and concatenated inner exception messages into top-level property-mapping errors. |
Scrubbed to type Name; inner details only via InnerException chain. |
| 8 | LOW | CWE-209 | Dictionary materialization threw ArgumentException on duplicate keys, echoing the attacker-supplied key's .ToString(). |
Last-write-wins indexer semantics. |
| 9 | LOW | CWE-1325 | Static mediator handler caches grow monotonically under closed-generic request types. Doc-only mitigation; no code change — consumers must not allow attacker-controlled runtime type materialization to reach Send, Publish, or CreateStream. |
Documented in docs/security-model.md. |
Exploitation
Finding 1 / 2 (headline): A consumer that maps user-supplied collection payloads onto an existing destination list via mapper.Map(userCollection, existingList) — a documented and commonly used AutoMapper-style idiom — processes the full attacker-supplied collection with no size cap and no depth cap. An attacker sending a single request with a large (or self-referential) collection payload can block the worker thread for seconds and exhaust the managed heap or the call stack. Equivalent exposure through .UseDestinationValue() on a collection-typed destination member, reachable via a plain Map(src) call whose destination type default-initializes that member.
Finding 3: A destination type with multiple public constructors that differ only in their parameter-binding invariants (e.g., new UserAccount(string name, Email email) enforcing a non-default Email) could be instantiated with the narrower ctor's invariants silently bypassed if any source field was absent — the widest ctor was always picked, with unbound parameters replaced by default(T).
Findings 4 / 5 / 6: Amplification / information-disclosure vectors described in the matrix above. Each requires moderate integration context (telemetry sink trust, handler count, retry policy) to weaponize, but each is reachable through public APIs without authentication.
Patches
Meridian.Mapping2.1.1 (published 2026-04-16)Meridian.Mediator2.1.1 (published 2026-04-16)
Verified via:
- GitHub Release assets at https://github.com/UmutKorkmaz/meridian/releases/tag/v2.1.1
- Sigstore attestation (actions/attest-build-provenance@v2 → gh attestation verify green on both .nupkg from the GitHub Release)
- NuGet.org indexed both packages within the release workflow run
Workarounds
Users who cannot upgrade immediately may:
1. Avoid mapper.Map(src, dst) and .UseDestinationValue() on collection-typed destination members.
2. Wrap input collection deserialization with an explicit size limit before handing the payload to Meridian.
3. Register TaskWhenAllPublisher with maxDegreeOfParallelism ≤ 16 manually (v2.1.1+ only).
4. Disable OpenTelemetry exception.stacktrace tag emission at the trace exporter level if your trace sink is less trusted than your application.
These are defense-in-depth; the only complete mitigation is upgrading to 2.1.1.
Supported Versions
As of this advisory the supported security branch is 2.1.x. The 2.0.x line (published 2026-04-15) is not receiving the Phase 1 safety-defaults infrastructure needed to carry the HIGH-severity fixes, so 2.0.x is deprecated in favor of 2.1.x. See SECURITY.md for the updated supported-versions table.
Credits
- UmutKorkmaz (reporter and maintainer)
References
- v2.1.1 CHANGELOG section: https://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16
docs/security-model.mdthreat model: https://github.com/UmutKorkmaz/meridian/blob/main/docs/security-model.mdSECURITY.mddisclosure policy: https://github.com/UmutKorkmaz/meridian/blob/main/SECURITY.md- AutoMapper CVE-2026-32933 (motivating precedent for Meridian's safety-defaults)
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Meridian.Mapping"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Meridian.Mediator"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1325",
"CWE-209",
"CWE-400",
"CWE-532",
"CWE-665",
"CWE-674",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T22:50:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nMeridian v2.1.0 (`Meridian.Mapping` and `Meridian.Mediator`) shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity \u2014 the advertised `DefaultMaxCollectionItems` and `DefaultMaxDepth` safety caps are silently bypassed on the `IMapper.Map(source, destination)` overload and anywhere `.UseDestinationValue()` is configured on a collection-typed property. Four are MEDIUM (constructor invariant bypass, OpenTelemetry stack-trace info disclosure, retry amplification, notification fan-out amplification). Three are LOW (exception message disclosure, dictionary duplicate-key echo, static mediator cache growth under closed-generic types).\n\nAll nine are patched in **v2.1.1**. Upgrade is a drop-in NuGet bump; see the v2.1.1 CHANGELOG for the four behavioural changes (constructor selection, OTel default, publisher fan-out cap, retry caps).\n\n## Severity Matrix\n\n| # | Severity | CWE | Finding | Fix |\n|---|---|---|---|---|\n| 1 | **HIGH** | CWE-770 | `MappingEngine.TryMapCollectionOntoExisting` enumerated the source without enforcing `DefaultMaxCollectionItems`. Reachable via `Mapper.Map\u003cTSrc,TDst\u003e(src, dst)` and any `.ForMember(..., o =\u003e o.UseDestinationValue())` on a collection member through a plain `Map(src)` call. | Shared cap enforcement helper between `MapCollection` and `TryMapCollectionOntoExisting`. |\n| 2 | **HIGH** | CWE-674 | Collection-item recursion in the existing-destination path did not increment `ResolutionContext.Depth`, so self-referential collection graphs could reach stack overflow before `DefaultMaxDepth` fired. | Depth increments at every collection-item boundary. |\n| 3 | MEDIUM | CWE-665 | `ObjectCreator.CreateWithConstructorMapping` always invoked the widest public constructor, silently filling unresolved parameters with `default(T)` and bypassing narrower-ctor invariants. | Widest-ctor selection now requires every parameter to be bound via explicit ctor mapping, source-name match, or a C# optional default. |\n| 4 | MEDIUM | CWE-532 | `Mediator.MarkActivityFailure` emitted the full `ex.ToString()` (stack + inner chain) to the OpenTelemetry `exception.stacktrace` activity tag by default, leaking context to any shared trace sink. | Gated on `MediatorTelemetryOptions.RecordExceptionStackTrace` \u2014 opt-in, default `false`. |\n| 5 | MEDIUM | CWE-400 | `RetryBehavior` retried every exception type with unbounded `MaxRetries`; the exponential-backoff delay overflowed `TimeSpan` at ~30 attempts. No cancellation exclusion. | Server-side `MaxRetriesCap = 10`, `MaxBackoff = 5 min`, `OperationCanceledException` short-circuit, recommended `RetryPolicy.TransientOnly` helper. |\n| 6 | MEDIUM | CWE-400 | `TaskWhenAllPublisher` started every registered handler concurrently with no bound on fan-out. | New constructor parameter `maxDegreeOfParallelism` (default 16; `-1` restores legacy unbounded). |\n| 7 | LOW | CWE-209 | Public mapping exceptions leaked `FullName` of source/destination types and concatenated inner exception messages into top-level property-mapping errors. | Scrubbed to type `Name`; inner details only via `InnerException` chain. |\n| 8 | LOW | CWE-209 | Dictionary materialization threw `ArgumentException` on duplicate keys, echoing the attacker-supplied key\u0027s `.ToString()`. | Last-write-wins indexer semantics. |\n| 9 | LOW | CWE-1325 | Static mediator handler caches grow monotonically under closed-generic request types. **Doc-only mitigation**; no code change \u2014 consumers must not allow attacker-controlled runtime type materialization to reach `Send`, `Publish`, or `CreateStream`. | Documented in `docs/security-model.md`. |\n\n## Exploitation\n\n**Finding 1 / 2 (headline):** A consumer that maps user-supplied collection payloads onto an existing destination list via `mapper.Map(userCollection, existingList)` \u2014 a documented and commonly used AutoMapper-style idiom \u2014 processes the full attacker-supplied collection with no size cap and no depth cap. An attacker sending a single request with a large (or self-referential) collection payload can block the worker thread for seconds and exhaust the managed heap or the call stack. Equivalent exposure through `.UseDestinationValue()` on a collection-typed destination member, reachable via a plain `Map(src)` call whose destination type default-initializes that member.\n\n**Finding 3:** A destination type with multiple public constructors that differ only in their parameter-binding invariants (e.g., `new UserAccount(string name, Email email)` enforcing a non-default `Email`) could be instantiated with the narrower ctor\u0027s invariants silently bypassed if any source field was absent \u2014 the widest ctor was always picked, with unbound parameters replaced by `default(T)`.\n\n**Findings 4 / 5 / 6:** Amplification / information-disclosure vectors described in the matrix above. Each requires moderate integration context (telemetry sink trust, handler count, retry policy) to weaponize, but each is reachable through public APIs without authentication.\n\n## Patches\n\n- `Meridian.Mapping` **2.1.1** (published 2026-04-16)\n- `Meridian.Mediator` **2.1.1** (published 2026-04-16)\n\nVerified via:\n- GitHub Release assets at \u003chttps://github.com/UmutKorkmaz/meridian/releases/tag/v2.1.1\u003e\n- Sigstore attestation (`actions/attest-build-provenance@v2` \u2192 `gh attestation verify` green on both `.nupkg` from the GitHub Release)\n- NuGet.org indexed both packages within the release workflow run\n\n## Workarounds\n\nUsers who cannot upgrade immediately may:\n1. Avoid `mapper.Map(src, dst)` and `.UseDestinationValue()` on collection-typed destination members.\n2. Wrap input collection deserialization with an explicit size limit before handing the payload to Meridian.\n3. Register `TaskWhenAllPublisher` with `maxDegreeOfParallelism` \u2264 16 manually (v2.1.1+ only).\n4. Disable OpenTelemetry `exception.stacktrace` tag emission at the trace exporter level if your trace sink is less trusted than your application.\n\nThese are defense-in-depth; the only complete mitigation is upgrading to 2.1.1.\n\n## Supported Versions\n\nAs of this advisory the supported security branch is **2.1.x**. The 2.0.x line (published 2026-04-15) is not receiving the Phase 1 safety-defaults infrastructure needed to carry the HIGH-severity fixes, so 2.0.x is deprecated in favor of 2.1.x. See `SECURITY.md` for the updated supported-versions table.\n\n## Credits\n\n- UmutKorkmaz (reporter and maintainer)\n\n## References\n\n- v2.1.1 CHANGELOG section: \u003chttps://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16\u003e\n- `docs/security-model.md` threat model: \u003chttps://github.com/UmutKorkmaz/meridian/blob/main/docs/security-model.md\u003e\n- `SECURITY.md` disclosure policy: \u003chttps://github.com/UmutKorkmaz/meridian/blob/main/SECURITY.md\u003e\n- AutoMapper CVE-2026-32933 (motivating precedent for Meridian\u0027s safety-defaults)",
"id": "GHSA-f5v8-v6q3-q4h6",
"modified": "2026-04-16T22:50:37Z",
"published": "2026-04-16T22:50:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/UmutKorkmaz/meridian/security/advisories/GHSA-f5v8-v6q3-q4h6"
},
{
"type": "PACKAGE",
"url": "https://github.com/UmutKorkmaz/meridian"
},
{
"type": "WEB",
"url": "https://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16"
},
{
"type": "WEB",
"url": "https://github.com/UmutKorkmaz/meridian/releases/tag/v2.1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)"
}
GHSA-F65C-G26C-WPQ5
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-06-29 00:00White Shark System (WSS) 1.3.2 has web site physical path leakage vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-20470"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-21T05:15:00Z",
"severity": "MODERATE"
},
"details": "White Shark System (WSS) 1.3.2 has web site physical path leakage vulnerability.",
"id": "GHSA-f65c-g26c-wpq5",
"modified": "2022-06-29T00:00:30Z",
"published": "2022-05-24T19:05:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20470"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/209.html"
},
{
"type": "WEB",
"url": "https://github.com/itodaro/WhiteSharkSystem_cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F7M2-V72X-HHC4
Vulnerability from github – Published: 2023-08-28 15:30 – Updated: 2024-04-04 07:14User enumeration is found in in PHPJabbers Make an Offer Widget v1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.
{
"affected": [],
"aliases": [
"CVE-2023-40767"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-28T13:15:10Z",
"severity": "CRITICAL"
},
"details": "User enumeration is found in in PHPJabbers Make an Offer Widget v1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.",
"id": "GHSA-f7m2-v72x-hhc4",
"modified": "2024-04-04T07:14:33Z",
"published": "2023-08-28T15:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40767"
},
{
"type": "WEB",
"url": "https://medium.com/%40mfortinsec/multiple-vulnerabilities-in-phpjabbers-part-3-40fc3565982f"
},
{
"type": "WEB",
"url": "https://medium.com/@mfortinsec/multiple-vulnerabilities-in-phpjabbers-part-3-40fc3565982f"
},
{
"type": "WEB",
"url": "https://www.phpjabbers.com/make-an-offer-widget"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F82G-WM67-P9RW
Vulnerability from github – Published: 2025-02-04 21:32 – Updated: 2025-02-04 21:32IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.
{
"affected": [],
"aliases": [
"CVE-2024-45658"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-04T21:15:26Z",
"severity": "LOW"
},
"details": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.",
"id": "GHSA-f82g-wm67-p9rw",
"modified": "2025-02-04T21:32:29Z",
"published": "2025-02-04T21:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45658"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7182386"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FC5F-GC6J-GFHF
Vulnerability from github – Published: 2023-10-16 21:30 – Updated: 2024-04-04 08:42The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode.
{
"affected": [],
"aliases": [
"CVE-2023-5177"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-16T20:15:17Z",
"severity": "MODERATE"
},
"details": "The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode.",
"id": "GHSA-fc5f-gc6j-gfhf",
"modified": "2024-04-04T08:42:04Z",
"published": "2023-10-16T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5177"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/a67b9c21-a35a-4cdb-9627-a5932334e5f0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FFPX-JJRF-CQGH
Vulnerability from github – Published: 2025-07-08 12:31 – Updated: 2025-10-18 03:30Improper error handling vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information.
{
"affected": [],
"aliases": [
"CVE-2025-40718"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T12:15:22Z",
"severity": "MODERATE"
},
"details": "Improper error handling vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information.",
"id": "GHSA-ffpx-jjrf-cqgh",
"modified": "2025-10-18T03:30:24Z",
"published": "2025-07-08T12:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40718"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-quiterweb-autoweb-quiter"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FGP2-H88C-M594
Vulnerability from github – Published: 2024-08-16 21:32 – Updated: 2024-08-16 21:32IBM QRadar Suite Software 1.10.12.0 through 1.10.22.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the request. This information could be used in further attacks against the system. IBM X-Force ID: 272201.
{
"affected": [],
"aliases": [
"CVE-2023-47728"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-16T20:15:09Z",
"severity": "MODERATE"
},
"details": "IBM QRadar Suite Software 1.10.12.0 through 1.10.22.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the request. This information could be used in further attacks against the system. IBM X-Force ID: 272201.",
"id": "GHSA-fgp2-h88c-m594",
"modified": "2024-08-16T21:32:36Z",
"published": "2024-08-16T21:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47728"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/272201"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7161427"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FH26-FRGR-HXXC
Vulnerability from github – Published: 2025-07-10 15:31 – Updated: 2025-07-10 15:31IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.
{
"affected": [],
"aliases": [
"CVE-2024-37524"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T15:15:24Z",
"severity": "MODERATE"
},
"details": "IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.",
"id": "GHSA-fh26-frgr-hxxc",
"modified": "2025-07-10T15:31:28Z",
"published": "2025-07-10T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37524"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7234122"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Mitigation
Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Mitigation MIT-33
Strategy: Attack Surface Reduction
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation MIT-40
Strategy: Compilation or Build Hardening
Debugging information should not make its way into a production release.
Mitigation MIT-40
Strategy: Environment Hardening
Debugging information should not make its way into a production release.
Mitigation
Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Mitigation
Create default error pages or messages that do not leak any information.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-54: Query System for Information
An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.
CAPEC-7: Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.