Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-PXV2-R799-MJ6C

Vulnerability from github – Published: 2025-06-16 18:32 – Updated: 2025-06-16 18:32
VLAI
Details

A flaw exists in FlashArray whereby the Key Encryption Key (KEK) is logged during key rotation when RDL is configured.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-16T17:15:28Z",
    "severity": "MODERATE"
  },
  "details": "A flaw exists in FlashArray whereby the Key Encryption Key (KEK) is logged during key rotation when RDL is configured.",
  "id": "GHSA-pxv2-r799-mj6c",
  "modified": "2025-06-16T18:32:19Z",
  "published": "2025-06-16T18:32:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2327"
    },
    {
      "type": "WEB",
      "url": "https://support.purestorage.com/category/m_pure_storage_product_security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PXX3-8XW2-8X5X

Vulnerability from github – Published: 2024-04-18 12:30 – Updated: 2026-04-28 21:34
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in Inisev Backup Migration.This issue affects Backup Migration: from n/a through 1.4.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-18T11:15:38Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in Inisev Backup Migration.This issue affects Backup Migration: from n/a through 1.4.3.",
  "id": "GHSA-pxx3-8xw2-8x5x",
  "modified": "2026-04-28T21:34:51Z",
  "published": "2024-04-18T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32686"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/backup-backup/wordpress-backup-migration-plugin-1-4-3-sensitive-data-exposure-via-log-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PXXX-P822-7V7M

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30
VLAI
Details

A log information disclosure vulnerability in B&R GateManager 4260 and 9250 versions <9.0.20262 and GateManager 8250 versions <9.2.620236042 allows authenticated users to view log information reserved for other users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-15T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A log information disclosure vulnerability in B\u0026R GateManager 4260 and 9250 versions \u003c9.0.20262 and GateManager 8250 versions \u003c9.2.620236042 allows authenticated users to view log information reserved for other users.",
  "id": "GHSA-pxxx-p822-7v7m",
  "modified": "2022-05-24T17:30:43Z",
  "published": "2022-05-24T17:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11646"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-273-03"
    },
    {
      "type": "WEB",
      "url": "https://www.br-automation.com/downloads_br_productcatalogue/assets/1600003183751-de-original-1.0.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q24M-6H38-5XJ8

Vulnerability from github – Published: 2023-10-19 17:10 – Updated: 2023-10-24 22:48
VLAI
Summary
ydb-go-sdk token in custom credentials object can leak through logs
Details

Impact

Since ydb-go-sdk/v3.48.6 if you use a custom credentials object (implementation of interface Credentials) it may leak into logs. This happens because this object could be serialized into an error message using fmt.Errorf("something went wrong (credentials: %q)", credentials) during connection to the YDB server. Printf func use placeholder %q for string representation of argument with quotes. If an argument implements interface fmt.Stringer, it will used through String() func. In other cases used fallback - serialization with reflection.

If such logging occurred, a malicious user with access to logs could read sensitive information (i.e. credentials) information and use it to get access to the database.

Who is impacted: applications with custom credentials object with an explicit token field.

A leak could have occurred if all of these conditions were met simultaneously: 1) The credentials object does not implement the fmt.Stringer interface (does not have a String() method) - potentially these are custom credentials. Official credentials have a String() method. 2) There was an error connecting to YDB during driver creation via ydb.Open(...). 3) Some logging system was configured (ydb-go-sdk does not log such errors by default). 4) The connection error was logged into a system that a malicious user had access to.

Patches

ydb-go-sdk contains this problem in versions from v3.48.6 to v3.53.2. The fix for this problem has been released in version v3.53.3 (PR).

Workarounds

Implement the fmt.Stringer interface in your custom credentials type with explicit stringify of object state.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ydb-platform/ydb-go-sdk/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.48.6"
            },
            {
              "fixed": "3.53.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-45825"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-19T17:10:00Z",
    "nvd_published_at": "2023-10-19T19:15:16Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nSince [ydb-go-sdk/v3.48.6](https://github.com/ydb-platform/ydb-go-sdk/blob/v3.48.6/internal/balancer/balancer.go#L71) if you use a custom credentials object (implementation of interface [Credentials](https://github.com/ydb-platform/ydb-go-sdk/blob/master/credentials/credentials.go#L10)) it may leak into logs. This happens because this object could be serialized into an error message using `fmt.Errorf(\"something went wrong (credentials: %q)\", credentials)` during connection to the YDB server. Printf func use placeholder `%q` for string representation of argument with quotes. If an argument implements interface `fmt.Stringer`, it will used through `String()` func. In other cases used fallback - serialization with reflection.\n\nIf such logging occurred, a  malicious user with access to logs could read sensitive information (i.e. credentials) information and use it to get access to the database.\n\nWho is impacted: applications with custom credentials object with an explicit token field.\n\nA leak could have occurred if all of these conditions were met simultaneously:\n1) The credentials object does not implement the `fmt.Stringer` interface (does not have a `String()` method) - potentially these are custom credentials. Official credentials have a `String()` method.\n2) There was an error connecting to YDB during driver creation via `ydb.Open(...)`.\n3) Some logging system was configured (`ydb-go-sdk` does not log such errors by default).\n4) The connection error was logged into a system that a malicious user had access to.\n\n### Patches\n`ydb-go-sdk` contains this problem in versions from v3.48.6 to v3.53.2. The fix for this problem has been released in version v3.53.3 ([PR](https://github.com/ydb-platform/ydb-go-sdk/pull/859)).\n\n### Workarounds\nImplement the `fmt.Stringer` interface in your custom credentials type with explicit stringify of object state.",
  "id": "GHSA-q24m-6h38-5xj8",
  "modified": "2023-10-24T22:48:40Z",
  "published": "2023-10-19T17:10:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45825"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ydb-platform/ydb-go-sdk/pull/859"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ydb-platform/ydb-go-sdk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ydb-platform/ydb-go-sdk/blob/master/credentials/credentials.go#L10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ydb-platform/ydb-go-sdk/blob/v3.48.6/internal/balancer/balancer.go#L71"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ydb-go-sdk token in custom credentials object can leak through logs"
}

GHSA-Q298-375F-5Q63

Vulnerability from github – Published: 2025-03-13 18:57 – Updated: 2025-03-13 21:39
VLAI
Summary
Snowflake JDBC Driver client-side encryption key in DEBUG logs
Details

Issue

Snowflake discovered and remediated a vulnerability in the Snowflake JDBC driver (“Driver”). When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake.

This vulnerability affects Driver versions 3.0.13 through 3.23.0. Snowflake fixed the issue in version 3.23.1.

Vulnerability Details

When the logging level was set to DEBUG, the Driver would locally log the client-side encryption master key of the target stage during the execution of GET/PUT commands. The key was logged in a JSON object under the queryStageMasterKey key. The key by itself does not grant access to any sensitive data.

Solution

Snowflake released version 3.23.1 of the Snowflake JDBC driver, which fixes this issue. We highly recommend users upgrade to version 3.23.1.

Additional Information

If you discover a security vulnerability in one of our products or websites, please report the issue to Snowflake through our Vulnerability Disclosure Program hosted at HackerOne. For more information, please see our Vulnerability Disclosure Policy.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.23.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "net.snowflake:snowflake-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.13"
            },
            {
              "fixed": "3.23.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-13T18:57:46Z",
    "nvd_published_at": "2025-03-13T19:15:52Z",
    "severity": "LOW"
  },
  "details": "### Issue\nSnowflake discovered and remediated a vulnerability in the Snowflake JDBC driver (\u201cDriver\u201d). When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations,  and is not logged server-side by Snowflake.\n\nThis vulnerability affects Driver versions 3.0.13 through 3.23.0. Snowflake fixed the issue in version 3.23.1.\n\n### Vulnerability Details\nWhen the logging level was set to DEBUG, the Driver would locally log the client-side encryption master key of the target stage during the execution of GET/PUT commands. The key was logged in a JSON object under the queryStageMasterKey key. The key by itself does not grant access to any sensitive data.\n\n### Solution\nSnowflake released version 3.23.1 of the Snowflake JDBC driver, which fixes this issue. We highly recommend users upgrade to version 3.23.1.\n\n### Additional Information\nIf you discover a security vulnerability in one of our products or websites, please report the issue to Snowflake through our Vulnerability Disclosure Program hosted at HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).",
  "id": "GHSA-q298-375f-5q63",
  "modified": "2025-03-13T21:39:12Z",
  "published": "2025-03-13T18:57:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-q298-375f-5q63"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27496"
    },
    {
      "type": "WEB",
      "url": "https://github.com/snowflakedb/snowflake-jdbc/commit/ef81582ce2f1dbc3c8794a696c94f4fe65fad507"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/snowflakedb/snowflake-jdbc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Snowflake JDBC Driver client-side encryption key in DEBUG logs"
}

GHSA-Q3P5-XQF4-5MGF

Vulnerability from github – Published: 2023-12-12 18:31 – Updated: 2023-12-12 18:31
VLAI
Details

An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49923"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-12T18:15:23Z",
    "severity": "MODERATE"
  },
  "details": " An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.",
  "id": "GHSA-q3p5-xqf4-5mgf",
  "modified": "2023-12-12T18:31:35Z",
  "published": "2023-12-12T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49923"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/enterprise-search-8-11-2-7-17-16-security-update-esa-2023-31/349181"
    },
    {
      "type": "WEB",
      "url": "https://www.elastic.co/community/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q433-J342-RP9H

Vulnerability from github – Published: 2026-01-15 18:11 – Updated: 2026-01-15 20:17
VLAI
Summary
Pimcore ENV Variables and Cookie Informations are exposed in http_error_log
Details

Summary

The http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend.

Details

It’s better to remove both lines, as this information makes little sense in this context anyway.

https://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L92 https://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L93

PoC

In the Pimcore backend, navigate to "Search Engine Optimization" and click on "HTTP Errors." Double-click on an entry to view its details. Here, you may find sensitive data exposed.

Impact

Pimcore backend users can access sensitive environment variables, potentially exposing critical information.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0-RC1"
            },
            {
              "fixed": "12.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.5.13"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.5.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-15T18:11:46Z",
    "nvd_published_at": "2026-01-15T17:16:08Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend.\n\n### Details\nIt\u2019s better to remove both lines, as this information makes little sense in this context anyway.\n\nhttps://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L92\nhttps://github.com/pimcore/pimcore/blob/12.x/bundles/SeoBundle/src/EventListener/ResponseExceptionListener.php#L93\n\n### PoC\nIn the Pimcore backend, navigate to \"Search Engine Optimization\" and click on \"HTTP Errors.\" Double-click on an entry to view its details. Here, you may find sensitive data exposed.\n\n### Impact\nPimcore backend users can access sensitive environment variables, potentially exposing critical information.",
  "id": "GHSA-q433-j342-rp9h",
  "modified": "2026-01-15T20:17:42Z",
  "published": "2026-01-15T18:11:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23493"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/pull/18918"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore ENV Variables and Cookie Informations are exposed in http_error_log"
}

GHSA-Q4P7-87J5-56XV

Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in smackcoders AIO Performance Profiler, Monitor, Optimize, Compress & Debug allows Retrieve Embedded Sensitive Data. This issue affects AIO Performance Profiler, Monitor, Optimize, Compress & Debug: from n/a through 1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31788"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T15:16:16Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in smackcoders AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug allows Retrieve Embedded Sensitive Data. This issue affects AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug: from n/a through 1.2.",
  "id": "GHSA-q4p7-87j5-56xv",
  "modified": "2026-04-01T18:34:20Z",
  "published": "2025-04-01T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31788"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/all-in-one-performance-accelerator/vulnerability/wordpress-aio-performance-profiler-monitor-optimize-compress-debug-plugin-1-2-sensitive-data-exposure-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q4P8-C668-H326

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11
VLAI
Details

The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-01T20:29:00Z",
    "severity": "LOW"
  },
  "details": "The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used.",
  "id": "GHSA-q4p8-c668-h326",
  "modified": "2022-05-13T01:11:38Z",
  "published": "2022-05-13T01:11:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9271"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1050625"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VP2DNHXEQFHXBCTSREPNR7BU4EX64SQG"
    },
    {
      "type": "WEB",
      "url": "https://www.suse.com/de-de/security/cve/CVE-2017-9271"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5GV-8P63-3QRR

Vulnerability from github – Published: 2024-03-29 18:30 – Updated: 2026-04-28 21:34
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in Paid Memberships Pro Paid Memberships Pro – Payfast Gateway Add On.This issue affects Paid Memberships Pro – Payfast Gateway Add On: from n/a through 1.4.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-29T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in Paid Memberships Pro Paid Memberships Pro \u2013 Payfast Gateway Add On.This issue affects Paid Memberships Pro \u2013 Payfast Gateway Add On: from n/a through 1.4.1.",
  "id": "GHSA-q5gv-8p63-3qrr",
  "modified": "2026-04-28T21:34:25Z",
  "published": "2024-03-29T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30514"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/pmpro-payfast/wordpress-paid-memberships-pro-payfast-gateway-add-on-plugin-1-4-1-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.