Common Weakness Enumeration

CWE-756

Allowed

Missing Custom Error Page

Abstraction: Base · Status: Incomplete

The product does not return custom error pages to the user, possibly exposing sensitive information.

5 vulnerabilities reference this CWE, most recent first.

CVE-2023-27998 (GCVE-0-2023-27998)

Vulnerability from cvelistv5 – Published: 2023-09-13 12:29 – Updated: 2024-09-25 17:26
VLAI
Summary
A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Fortinet FortiPresence Affected: 1.2.0 , ≤ 1.2.1 (semver)
Affected: 1.1.0 , ≤ 1.1.1 (semver)
Affected: 1.0.0
Create a notification for this product.
fortinet fortipresence Affected: 1.0.0
Affected: 1.1.0
Affected: 1.2.0 , ≤ 1.2.1 (custom)
    cpe:2.3:a:fortinet:fortipresence:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T12:23:30.828Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://fortiguard.com/psirt/FG-IR-22-288",
            "tags": [
              "x_transferred"
            ],
            "url": "https://fortiguard.com/psirt/FG-IR-22-288"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:fortinet:fortipresence:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "fortipresence",
            "vendor": "fortinet",
            "versions": [
              {
                "status": "affected",
                "version": "1.0.0"
              },
              {
                "status": "affected",
                "version": "1.1.0"
              },
              {
                "lessThanOrEqual": "1.2.1",
                "status": "affected",
                "version": "1.2.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-27998",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-25T17:24:33.642111Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-25T17:26:14.202Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "FortiPresence",
          "vendor": "Fortinet",
          "versions": [
            {
              "lessThanOrEqual": "1.2.1",
              "status": "affected",
              "version": "1.2.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "1.1.1",
              "status": "affected",
              "version": "1.1.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "1.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:C",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-756",
              "description": "Information disclosure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-13T12:29:15.591Z",
        "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "shortName": "fortinet"
      },
      "references": [
        {
          "name": "https://fortiguard.com/psirt/FG-IR-22-288",
          "url": "https://fortiguard.com/psirt/FG-IR-22-288"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Please upgrade to FortiPresence version 2.0.0 or above\r\n\u00a0"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
    "assignerShortName": "fortinet",
    "cveId": "CVE-2023-27998",
    "datePublished": "2023-09-13T12:29:15.591Z",
    "dateReserved": "2023-03-09T10:09:33.120Z",
    "dateUpdated": "2024-09-25T17:26:14.202Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-3175 (GCVE-0-2022-3175)

Vulnerability from cvelistv5 – Published: 2022-09-13 09:20 – Updated: 2024-08-03 01:00
VLAI
Title
Missing Custom Error Page in ikus060/rdiffweb
Summary
Missing Custom Error Page in GitHub repository ikus060/rdiffweb prior to 2.4.2.
CWE
  • CWE-756 - Missing Custom Error Page
Assigner
References
Impacted products
Vendor Product Version
ikus060 ikus060/rdiffweb Affected: unspecified , < 2.4.2 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:00:10.532Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/c40badc3-c9e7-4b69-9e2e-2b9f05865159"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ikus060/rdiffweb/commit/233befc33bdc45d4838c773d5aed4408720504c5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ikus060/rdiffweb",
          "vendor": "ikus060",
          "versions": [
            {
              "lessThan": "2.4.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Missing Custom Error Page in GitHub repository ikus060/rdiffweb prior to 2.4.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-756",
              "description": "CWE-756 Missing Custom Error Page",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-13T09:20:10.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/c40badc3-c9e7-4b69-9e2e-2b9f05865159"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ikus060/rdiffweb/commit/233befc33bdc45d4838c773d5aed4408720504c5"
        }
      ],
      "source": {
        "advisory": "c40badc3-c9e7-4b69-9e2e-2b9f05865159",
        "discovery": "EXTERNAL"
      },
      "title": "Missing Custom Error Page in ikus060/rdiffweb",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-3175",
          "STATE": "PUBLIC",
          "TITLE": "Missing Custom Error Page in ikus060/rdiffweb"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ikus060/rdiffweb",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.4.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ikus060"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Missing Custom Error Page in GitHub repository ikus060/rdiffweb prior to 2.4.2."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-756 Missing Custom Error Page"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/c40badc3-c9e7-4b69-9e2e-2b9f05865159",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/c40badc3-c9e7-4b69-9e2e-2b9f05865159"
            },
            {
              "name": "https://github.com/ikus060/rdiffweb/commit/233befc33bdc45d4838c773d5aed4408720504c5",
              "refsource": "MISC",
              "url": "https://github.com/ikus060/rdiffweb/commit/233befc33bdc45d4838c773d5aed4408720504c5"
            }
          ]
        },
        "source": {
          "advisory": "c40badc3-c9e7-4b69-9e2e-2b9f05865159",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-3175",
    "datePublished": "2022-09-13T09:20:10.000Z",
    "dateReserved": "2022-09-12T00:00:00.000Z",
    "dateUpdated": "2024-08-03T01:00:10.532Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-8913 (GCVE-0-2018-8913)

Vulnerability from cvelistv5 – Published: 2019-04-01 14:23 – Updated: 2024-09-16 23:51
VLAI
Summary
Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL.
CWE
  • CWE-756 - Missing Custom Error Page (CWE-756)
Assigner
References
Impacted products
Vendor Product Version
Synology Web Station Affected: unspecified , < 2.1.3-0139 (custom)
Create a notification for this product.
Date Public
2019-03-31 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:10:46.703Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.synology.com/security/advisory/Synology_SA_18_29"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Web Station",
          "vendor": "Synology",
          "versions": [
            {
              "lessThan": "2.1.3-0139",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2019-03-31T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-756",
              "description": "Missing Custom Error Page (CWE-756)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-04-01T14:23:46.000Z",
        "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "shortName": "synology"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.synology.com/security/advisory/Synology_SA_18_29"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@synology.com",
          "DATE_PUBLIC": "2019-03-31T00:00:00",
          "ID": "CVE-2018-8913",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Web Station",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_value": "2.1.3-0139"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Synology"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Missing Custom Error Page (CWE-756)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.synology.com/security/advisory/Synology_SA_18_29",
              "refsource": "CONFIRM",
              "url": "https://www.synology.com/security/advisory/Synology_SA_18_29"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
    "assignerShortName": "synology",
    "cveId": "CVE-2018-8913",
    "datePublished": "2019-04-01T14:23:46.446Z",
    "dateReserved": "2018-03-22T00:00:00.000Z",
    "dateUpdated": "2024-09-16T23:51:27.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-7PP3-X5H4-FX5V

Vulnerability from github – Published: 2023-09-13 15:31 – Updated: 2024-04-04 07:39
VLAI
Details

A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755",
      "CWE-756"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-13T13:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths.",
  "id": "GHSA-7pp3-x5h4-fx5v",
  "modified": "2024-04-04T07:39:06Z",
  "published": "2023-09-13T15:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27998"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-22-288"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CH4C-278Q-5654

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2024-10-25 21:32
VLAI
Summary
rdiffweb Missing Custom Error Page
Details

rdiffweb version 2.4.1 is set to a default and leaks error information. Version 2.4.2 fixes this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rdiffweb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.1"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.4.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755",
      "CWE-756"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-15T03:23:16Z",
    "nvd_published_at": "2022-09-13T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "rdiffweb version 2.4.1 is set to a default and leaks error information. Version 2.4.2 fixes this issue.",
  "id": "GHSA-ch4c-278q-5654",
  "modified": "2024-10-25T21:32:58Z",
  "published": "2022-09-14T00:00:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ikus060/rdiffweb/commit/233befc33bdc45d4838c773d5aed4408720504c5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-ch4c-278q-5654"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ikus060/rdiffweb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ikus060/rdiffweb/blob/4d1232cd0586eb79d1a921969f8f7a198a00d92b/README.md?plain=1#L149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-273.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/c40badc3-c9e7-4b69-9e2e-2b9f05865159"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "rdiffweb Missing Custom Error Page"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.