CWE-532
Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
CVE-2024-34559 (GCVE-0-2024-34559)
Vulnerability from cvelistv5 – Published: 2024-05-09 12:03 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Ghost plugin <= 1.4.0 - Sensitive Data Exposure via Log File vulnerability
Summary
Insertion of Sensitive Information into Log File vulnerability in Ghost Foundation Ghost.This issue affects Ghost: from n/a through 1.4.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/gho… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ghost Foundation | Ghost |
Affected:
n/a , ≤ 1.4.0
(custom)
|
|
| ghost | ghost |
Affected:
0 , ≤ 1.4.0
(custom)
cpe:2.3:a:ghost:ghost:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ghost:ghost:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ghost",
"vendor": "ghost",
"versions": [
{
"lessThanOrEqual": "1.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T19:44:52.257515Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T14:21:16.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:21.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/ghost/wordpress-ghost-plugin-1-4-0-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ghost",
"product": "Ghost",
"vendor": "Ghost Foundation",
"versions": [
{
"changes": [
{
"at": "1.5.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.4.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Joshua Chan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information into Log File vulnerability in Ghost Foundation Ghost.\u003cp\u003eThis issue affects Ghost: from n/a through 1.4.0.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information into Log File vulnerability in Ghost Foundation Ghost.This issue affects Ghost: from n/a through 1.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:49.526Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/ghost/wordpress-ghost-plugin-1-4-0-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.5.0 or a higher version."
}
],
"value": "Update to 1.5.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Ghost plugin \u003c= 1.4.0 - Sensitive Data Exposure via Log File vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-34559",
"datePublished": "2024-05-09T12:03:01.037Z",
"dateReserved": "2024-05-06T19:21:15.224Z",
"dateUpdated": "2026-04-28T16:09:49.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-34706 (GCVE-0-2024-34706)
Vulnerability from cvelistv5 – Published: 2024-05-13 16:02 – Updated: 2024-08-02 02:59
VLAI
Title
@valtimo/components exposes access token to form.io
Summary
Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token (JWT) of the user is exposed to `api.form.io` via the the `x-jwt-token` header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the Form.io component.
The following conditions have to be met in order to perform this attack: An attacker needs to have access to the network traffic on the `api.form.io` domain; the content of the `x-jwt-token` header is logged or otherwise available to the attacker; an attacker needs to have network access to the Valtimo API; and an attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes.
Versions 10.8.4, 11.1.6 and 11.2.2 have been patched.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/valtimo-platform/valtimo-front… | x_refsource_CONFIRM |
| https://github.com/valtimo-platform/valtimo-front… | x_refsource_MISC |
| https://github.com/valtimo-platform/valtimo-front… | x_refsource_MISC |
| https://github.com/valtimo-platform/valtimo-front… | x_refsource_MISC |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| valtimo-platform | valtimo-frontend-libraries |
Affected:
< 10.8.4
Affected: >= 11.0.0, < 11.1.6 Affected: >= 11.2.0, < 11.2.2 |
|
| valtimo | frontend-libraries |
Affected:
0 , < 10.8.4
(custom)
cpe:2.3:a:valtimo:frontend-libraries:*:*:*:*:*:*:*:* |
|
| valtimo | frontend-libraries |
Affected:
11.2.0 , < 11.2.2
(custom)
cpe:2.3:a:valtimo:frontend-libraries:11.2.0:*:*:*:*:*:*:* |
|
| valtimo | frontend-libraries |
Affected:
11.0.0 , < 11.1.6
(custom)
cpe:2.3:a:valtimo:frontend-libraries:11.0.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:valtimo:frontend-libraries:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "frontend-libraries",
"vendor": "valtimo",
"versions": [
{
"lessThan": "10.8.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:valtimo:frontend-libraries:11.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "frontend-libraries",
"vendor": "valtimo",
"versions": [
{
"lessThan": "11.2.2",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:valtimo:frontend-libraries:11.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "frontend-libraries",
"vendor": "valtimo",
"versions": [
{
"lessThan": "11.1.6",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-14T01:31:47.573618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:09:27.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:21.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/valtimo-platform/valtimo-frontend-libraries/security/advisories/GHSA-xcp4-62vj-cq3r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/valtimo-platform/valtimo-frontend-libraries/security/advisories/GHSA-xcp4-62vj-cq3r"
},
{
"name": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/1aaba5ef5750dafebbc7476fb08bf2375a25f19e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/1aaba5ef5750dafebbc7476fb08bf2375a25f19e"
},
{
"name": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/8c2dbf2a41180d2b0358d878290e4d37168f0fb6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/8c2dbf2a41180d2b0358d878290e4d37168f0fb6"
},
{
"name": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/d65e05fd2784bd4a628778b34a5b79ce2f0cef8c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/d65e05fd2784bd4a628778b34a5b79ce2f0cef8c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "valtimo-frontend-libraries",
"vendor": "valtimo-platform",
"versions": [
{
"status": "affected",
"version": "\u003c 10.8.4"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.1.6"
},
{
"status": "affected",
"version": "\u003e= 11.2.0, \u003c 11.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token (JWT) of the user is exposed to `api.form.io` via the the `x-jwt-token` header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the Form.io component.\n\nThe following conditions have to be met in order to perform this attack: An attacker needs to have access to the network traffic on the `api.form.io` domain; the content of the `x-jwt-token` header is logged or otherwise available to the attacker; an attacker needs to have network access to the Valtimo API; and an attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes.\n\nVersions 10.8.4, 11.1.6 and 11.2.2 have been patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T16:02:28.694Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/valtimo-platform/valtimo-frontend-libraries/security/advisories/GHSA-xcp4-62vj-cq3r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/valtimo-platform/valtimo-frontend-libraries/security/advisories/GHSA-xcp4-62vj-cq3r"
},
{
"name": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/1aaba5ef5750dafebbc7476fb08bf2375a25f19e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/1aaba5ef5750dafebbc7476fb08bf2375a25f19e"
},
{
"name": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/8c2dbf2a41180d2b0358d878290e4d37168f0fb6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/8c2dbf2a41180d2b0358d878290e4d37168f0fb6"
},
{
"name": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/d65e05fd2784bd4a628778b34a5b79ce2f0cef8c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/valtimo-platform/valtimo-frontend-libraries/commit/d65e05fd2784bd4a628778b34a5b79ce2f0cef8c"
}
],
"source": {
"advisory": "GHSA-xcp4-62vj-cq3r",
"discovery": "UNKNOWN"
},
"title": "@valtimo/components exposes access token to form.io"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34706",
"datePublished": "2024-05-13T16:02:28.694Z",
"dateReserved": "2024-05-07T13:53:00.132Z",
"dateUpdated": "2024-08-02T02:59:21.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34715 (GCVE-0-2024-34715)
Vulnerability from cvelistv5 – Published: 2024-05-29 16:35 – Updated: 2024-08-02 02:59
VLAI
Title
Partial Password Exposure Vulnerability in Fides Webserver Logs
Summary
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ethyca/fides/security/advisori… | x_refsource_CONFIRM |
| https://github.com/ethyca/fides/commit/6ab37b1ffe… | x_refsource_MISC |
| https://docs.sqlalchemy.org/en/14/core/engines.ht… | x_refsource_MISC |
| https://github.com/sqlalchemy/sqlalchemy/discussi… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T15:09:16.775448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:17.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"
},
{
"name": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"
},
{
"name": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"
},
{
"name": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.37.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T16:35:46.375Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"
},
{
"name": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"
},
{
"name": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"
},
{
"name": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"
}
],
"source": {
"advisory": "GHSA-8cm5-jfj2-26q7",
"discovery": "UNKNOWN"
},
"title": "Partial Password Exposure Vulnerability in Fides Webserver Logs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34715",
"datePublished": "2024-05-29T16:35:46.375Z",
"dateReserved": "2024-05-07T13:53:00.134Z",
"dateUpdated": "2024-08-02T02:59:22.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34798 (GCVE-0-2024-34798)
Vulnerability from cvelistv5 – Published: 2024-06-03 10:21 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress Debug Log – Manger Tool plugin <= 1.4.5 - Sensitive Data Exposure vulnerability
Summary
Insertion of Sensitive Information into Log File vulnerability in Lukman Nakib Debug Log – Manger Tool.This issue affects Debug Log – Manger Tool: from n/a through 1.4.5.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/deb… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lukman Nakib | Debug Log – Manger Tool |
Affected:
n/a , ≤ 1.4.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T15:39:10.650662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:41:31.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/debug-log-config-tool/wordpress-debug-log-manger-tool-plugin-1-4-5-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "debug-log-config-tool",
"product": "Debug Log \u2013 Manger Tool",
"vendor": "Lukman Nakib",
"versions": [
{
"changes": [
{
"at": "1.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.4.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "emad (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information into Log File vulnerability in Lukman Nakib Debug Log \u2013 Manger Tool.\u003cp\u003eThis issue affects Debug Log \u2013 Manger Tool: from n/a through 1.4.5.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information into Log File vulnerability in Lukman Nakib Debug Log \u2013 Manger Tool.This issue affects Debug Log \u2013 Manger Tool: from n/a through 1.4.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:51.001Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/debug-log-config-tool/wordpress-debug-log-manger-tool-plugin-1-4-5-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.5 or a higher version."
}
],
"value": "Update to 1.5 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Debug Log \u2013 Manger Tool plugin \u003c= 1.4.5 - Sensitive Data Exposure vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-34798",
"datePublished": "2024-06-03T10:21:52.488Z",
"dateReserved": "2024-05-09T12:14:10.268Z",
"dateUpdated": "2026-04-28T16:09:51.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35196 (GCVE-0-2024-35196)
Vulnerability from cvelistv5 – Published: 2024-05-31 17:25 – Updated: 2024-08-02 03:07
VLAI
Title
Slack integration leaks sensitive information in logs in Sentry
Summary
Sentry is a developer-first error tracking and performance monitoring platform. Sentry's Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, including the deprecated Slack verification token. With this verification token, it is possible under specific configurations, an attacker can forge requests and act as the Slack integration. The request body is leaked in log entries matching `event == "slack.*" && name == "sentry.integrations.slack" && request_data == *`. The deprecated slack verification token, will be found in the `request_data.token` key. **SaaS users** do not need to take any action. **Self-hosted users** should upgrade to version 24.5.0 or higher, rotate their Slack verification token, and use the Slack Signing Secret instead of the verification token. For users only using the `slack.signing-secret` in their self-hosted configuration, the legacy verification token is not used to verify the webhook payload. It is ignored. Users unable to upgrade should either set the `slack.signing-secret` instead of `slack.verification-token`. The signing secret is Slack's recommended way of authenticating webhooks. By having `slack.singing-secret` set, Sentry self-hosted will no longer use the verification token for authentication of the webhooks, regardless of whether `slack.verification-token` is set or not. Alternatively if the self-hosted instance is unable to be upgraded or re-configured to use the `slack.signing-secret`, the logging configuration can be adjusted to not generate logs from the integration. The default logging configuration can be found in `src/sentry/conf/server.py`. **Services should be restarted once the configuration change is saved.**
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/getsentry/sentry/security/advi… | x_refsource_CONFIRM |
| https://github.com/getsentry/sentry/pull/70508 | x_refsource_MISC |
| https://api.slack.com/authentication/verifying-re… | x_refsource_MISC |
| https://api.slack.com/authentication/verifying-re… | x_refsource_MISC |
| https://api.slack.com/authentication/verifying-re… | x_refsource_MISC |
| https://develop.sentry.dev/integrations/slack | x_refsource_MISC |
| https://github.com/getsentry/sentry/blob/17d2b87e… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T18:04:07.244703Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:04:18.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.866Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/getsentry/sentry/security/advisories/GHSA-c2g2-gx4j-rj3j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getsentry/sentry/security/advisories/GHSA-c2g2-gx4j-rj3j"
},
{
"name": "https://github.com/getsentry/sentry/pull/70508",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/sentry/pull/70508"
},
{
"name": "https://api.slack.com/authentication/verifying-requests-from-slack#app-management-updates",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://api.slack.com/authentication/verifying-requests-from-slack#app-management-updates"
},
{
"name": "https://api.slack.com/authentication/verifying-requests-from-slack#deprecation",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://api.slack.com/authentication/verifying-requests-from-slack#deprecation"
},
{
"name": "https://api.slack.com/authentication/verifying-requests-from-slack#regenerating",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://api.slack.com/authentication/verifying-requests-from-slack#regenerating"
},
{
"name": "https://develop.sentry.dev/integrations/slack",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://develop.sentry.dev/integrations/slack"
},
{
"name": "https://github.com/getsentry/sentry/blob/17d2b87e39ccd57e11da4deed62971ff306253d1/src/sentry/conf/server.py#L1307",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getsentry/sentry/blob/17d2b87e39ccd57e11da4deed62971ff306253d1/src/sentry/conf/server.py#L1307"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sentry",
"vendor": "getsentry",
"versions": [
{
"status": "affected",
"version": "\u003e= 24.3.0, \u003c 24.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sentry is a developer-first error tracking and performance monitoring platform. Sentry\u0027s Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, including the deprecated Slack verification token. With this verification token, it is possible under specific configurations, an attacker can forge requests and act as the Slack integration. The request body is leaked in log entries matching `event == \"slack.*\" \u0026\u0026 name == \"sentry.integrations.slack\" \u0026\u0026 request_data == *`. The deprecated slack verification token, will be found in the `request_data.token` key. **SaaS users** do not need to take any action. **Self-hosted users** should upgrade to version 24.5.0 or higher, rotate their Slack verification token, and use the Slack Signing Secret instead of the verification token. For users only using the `slack.signing-secret` in their self-hosted configuration, the legacy verification token is not used to verify the webhook payload. It is ignored. Users unable to upgrade should either set the `slack.signing-secret` instead of `slack.verification-token`. The signing secret is Slack\u0027s recommended way of authenticating webhooks. By having `slack.singing-secret` set, Sentry self-hosted will no longer use the verification token for authentication of the webhooks, regardless of whether `slack.verification-token` is set or not. Alternatively if the self-hosted instance is unable to be upgraded or re-configured to use the `slack.signing-secret`, the logging configuration can be adjusted to not generate logs from the integration. The default logging configuration can be found in `src/sentry/conf/server.py`. **Services should be restarted once the configuration change is saved.**\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-31T17:26:07.151Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getsentry/sentry/security/advisories/GHSA-c2g2-gx4j-rj3j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getsentry/sentry/security/advisories/GHSA-c2g2-gx4j-rj3j"
},
{
"name": "https://github.com/getsentry/sentry/pull/70508",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/sentry/pull/70508"
},
{
"name": "https://api.slack.com/authentication/verifying-requests-from-slack#app-management-updates",
"tags": [
"x_refsource_MISC"
],
"url": "https://api.slack.com/authentication/verifying-requests-from-slack#app-management-updates"
},
{
"name": "https://api.slack.com/authentication/verifying-requests-from-slack#deprecation",
"tags": [
"x_refsource_MISC"
],
"url": "https://api.slack.com/authentication/verifying-requests-from-slack#deprecation"
},
{
"name": "https://api.slack.com/authentication/verifying-requests-from-slack#regenerating",
"tags": [
"x_refsource_MISC"
],
"url": "https://api.slack.com/authentication/verifying-requests-from-slack#regenerating"
},
{
"name": "https://develop.sentry.dev/integrations/slack",
"tags": [
"x_refsource_MISC"
],
"url": "https://develop.sentry.dev/integrations/slack"
},
{
"name": "https://github.com/getsentry/sentry/blob/17d2b87e39ccd57e11da4deed62971ff306253d1/src/sentry/conf/server.py#L1307",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/sentry/blob/17d2b87e39ccd57e11da4deed62971ff306253d1/src/sentry/conf/server.py#L1307"
}
],
"source": {
"advisory": "GHSA-c2g2-gx4j-rj3j",
"discovery": "UNKNOWN"
},
"title": "Slack integration leaks sensitive information in logs in Sentry"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35196",
"datePublished": "2024-05-31T17:25:55.716Z",
"dateReserved": "2024-05-10T14:24:24.342Z",
"dateUpdated": "2024-08-02T03:07:46.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36127 (GCVE-0-2024-36127)
Vulnerability from cvelistv5 – Published: 2024-06-03 14:49 – Updated: 2024-09-03 15:49
VLAI
Title
apko Exposure of HTTP basic auth credentials in log output
Summary
apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/chainguard-dev/apko/security/a… | x_refsource_CONFIRM |
| https://github.com/chainguard-dev/apko/commit/2c0… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| chainguard-dev | apko |
Affected:
< 0.14.5
|
|
| chainguard-dev | apko |
Affected:
0 , < 0.14.5
(custom)
cpe:2.3:a:chainguard-dev:apko:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:30:13.123Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp"
},
{
"name": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:chainguard-dev:apko:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apko",
"vendor": "chainguard-dev",
"versions": [
{
"lessThan": "0.14.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36127",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T19:11:57.608124Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T15:49:45.766Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "apko",
"vendor": "chainguard-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-03T14:49:39.055Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-v6mg-7f7p-qmqp"
},
{
"name": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chainguard-dev/apko/commit/2c0533e4d52e83031a04f6a83ec63fc2a11eff01"
}
],
"source": {
"advisory": "GHSA-v6mg-7f7p-qmqp",
"discovery": "UNKNOWN"
},
"title": "apko Exposure of HTTP basic auth credentials in log output"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36127",
"datePublished": "2024-06-03T14:49:39.055Z",
"dateReserved": "2024-05-20T21:07:48.190Z",
"dateUpdated": "2024-09-03T15:49:45.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37205 (GCVE-0-2024-37205)
Vulnerability from cvelistv5 – Published: 2024-07-10 17:50 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress affiliate-toolkit plugin <= 3.4.4 - Sensitive Data Exposure via Log File vulnerability
Summary
Insertion of Sensitive Information into Log File vulnerability in SERVIT Software Solutions.This issue affects affiliate-toolkit: from n/a through 3.4.4.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/aff… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| SERVIT Software Solutions | affiliate-toolkit |
Affected:
n/a , ≤ 3.4.4
(custom)
|
|
| servit | affiliate-toolkit |
Affected:
0 , < 3.4.4
(custom)
cpe:2.3:a:servit:affiliate-toolkit:*:*:*:*:*:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:servit:affiliate-toolkit:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "affiliate-toolkit",
"vendor": "servit",
"versions": [
{
"lessThan": "3.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T20:17:43.357443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T20:18:45.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/affiliate-toolkit-starter/wordpress-affiliate-toolkit-plugin-3-4-4-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "affiliate-toolkit-starter",
"product": "affiliate-toolkit",
"vendor": "SERVIT Software Solutions",
"versions": [
{
"changes": [
{
"at": "3.4.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.4.4",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Joshua Chan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information into Log File vulnerability in SERVIT Software Solutions.\u003cp\u003eThis issue affects affiliate-toolkit: from n/a through 3.4.4.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information into Log File vulnerability in SERVIT Software Solutions.This issue affects affiliate-toolkit: from n/a through 3.4.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:56.653Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/affiliate-toolkit-starter/wordpress-affiliate-toolkit-plugin-3-4-4-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.4.5 or a higher version."
}
],
"value": "Update to 3.4.5 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress affiliate-toolkit plugin \u003c= 3.4.4 - Sensitive Data Exposure via Log File vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37205",
"datePublished": "2024-07-10T17:50:33.632Z",
"dateReserved": "2024-06-04T16:45:43.450Z",
"dateUpdated": "2026-04-28T16:09:56.653Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37270 (GCVE-0-2024-37270)
Vulnerability from cvelistv5 – Published: 2024-07-10 17:49 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress TrustedLogin Vendor plugin < 1.1.1 - Sensitive Data Exposure vulnerability
Summary
Insertion of Sensitive Information into Log File vulnerability in TrustedLogin TrustedLogin Vendor.This issue affects TrustedLogin Vendor: from n/a before 1.1.1.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/ven… | vdb-entry |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| TrustedLogin | TrustedLogin Vendor |
Affected:
n/a , < 1.1.1
(custom)
|
|
| trustedlogin | trustedlogin |
Affected:
0 , < 1.1.1
(custom)
cpe:2.3:a:trustedlogin:trustedlogin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:trustedlogin:trustedlogin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "trustedlogin",
"vendor": "trustedlogin",
"versions": [
{
"lessThan": "1.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T13:55:24.486511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T18:17:58.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/vendor/wordpress-trustedlogin-vendor-plugin-1-1-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TrustedLogin Vendor",
"vendor": "TrustedLogin",
"versions": [
{
"changes": [
{
"at": "1.1.1",
"status": "unaffected"
}
],
"lessThan": "1.1.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information into Log File vulnerability in TrustedLogin TrustedLogin Vendor.\u003cp\u003eThis issue affects TrustedLogin Vendor: from n/a before 1.1.1.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information into Log File vulnerability in TrustedLogin TrustedLogin Vendor.This issue affects TrustedLogin Vendor: from n/a before 1.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:57.918Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/vendor/wordpress-trustedlogin-vendor-plugin-1-1-1-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.1.1 or a higher version."
}
],
"value": "Update to 1.1.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress TrustedLogin Vendor plugin \u003c 1.1.1 - Sensitive Data Exposure vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37270",
"datePublished": "2024-07-10T17:49:24.457Z",
"dateReserved": "2024-06-04T16:47:15.487Z",
"dateUpdated": "2026-04-28T16:09:57.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37283 (GCVE-0-2024-37283)
Vulnerability from cvelistv5 – Published: 2024-08-08 23:34 – Updated: 2024-08-09 15:34
VLAI
Title
Elastic Agent Insertion of Sensitive Information into Log File
Summary
An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Elastic | Elastic Agent |
Affected:
8.6.0 , < 8.15.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37283",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-09T15:33:46.269773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T15:34:02.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Elastic Agent",
"repo": "https://github.com/elastic/elastic-agent",
"vendor": "Elastic",
"versions": [
{
"lessThan": "8.15.0",
"status": "affected",
"version": "8.6.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs. \u003cbr\u003e"
}
],
"value": "An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T23:34:22.070Z",
"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"shortName": "elastic"
},
"references": [
{
"url": "https://discuss.elastic.co/t/elastic-agent-8-15-0-security-update-esa-2024-23/364635"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Elastic Agent Insertion of Sensitive Information into Log File",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"assignerShortName": "elastic",
"cveId": "CVE-2024-37283",
"datePublished": "2024-08-08T23:34:22.070Z",
"dateReserved": "2024-06-05T14:21:14.942Z",
"dateUpdated": "2024-08-09T15:34:02.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37286 (GCVE-0-2024-37286)
Vulnerability from cvelistv5 – Published: 2024-08-03 15:16 – Updated: 2024-09-03 15:36
VLAI
Title
APM Server Insertion of Sensitive Information into Log File
Summary
APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Elastic | APM Server |
Unaffected:
8.14.0
(semver)
|
Date Public
2024-08-03 15:07
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37286",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T15:49:35.536482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T15:36:33.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "APM Server",
"vendor": "Elastic",
"versions": [
{
"status": "unaffected",
"version": "8.14.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-03T15:07:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged."
}
],
"value": "APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T15:16:22.700Z",
"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"shortName": "elastic"
},
"references": [
{
"url": "https://discuss.elastic.co/t/apm-server-8-14-0-security-update-esa-2024-19/364289"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "APM Server Insertion of Sensitive Information into Log File",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"assignerShortName": "elastic",
"cveId": "CVE-2024-37286",
"datePublished": "2024-08-03T15:16:22.700Z",
"dateReserved": "2024-06-05T14:21:14.942Z",
"dateUpdated": "2024-09-03T15:36:33.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation
Phase: Distribution
Description:
- Remove debug log files before deploying the application into production.
Mitigation
Phase: Operation
Description:
- Protect log files against unauthorized read/write.
Mitigation
Phase: Implementation
Description:
- Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.