CWE-756
Missing Custom Error Page
The product does not return custom error pages to the user, possibly exposing sensitive information.
CVE-2018-8913 (GCVE-0-2018-8913)
Vulnerability from cvelistv5 – Published: 2019-04-01 14:23 – Updated: 2024-09-16 23:51
VLAI?
Summary
Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL.
Severity ?
7.1 (High)
CWE
- CWE-756 - Missing Custom Error Page (CWE-756)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Web Station |
Affected:
unspecified , < 2.1.3-0139
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:10:46.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_18_29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Web Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "2.1.3-0139",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-03-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-756",
"description": "Missing Custom Error Page (CWE-756)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-01T14:23:46",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_18_29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2019-03-31T00:00:00",
"ID": "CVE-2018-8913",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Web Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "2.1.3-0139"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Custom Error Page (CWE-756)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/security/advisory/Synology_SA_18_29",
"refsource": "CONFIRM",
"url": "https://www.synology.com/security/advisory/Synology_SA_18_29"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2018-8913",
"datePublished": "2019-04-01T14:23:46.446649Z",
"dateReserved": "2018-03-22T00:00:00",
"dateUpdated": "2024-09-16T23:51:27.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3175 (GCVE-0-2022-3175)
Vulnerability from cvelistv5 – Published: 2022-09-13 09:20 – Updated: 2024-08-03 01:00
VLAI?
Summary
Missing Custom Error Page in GitHub repository ikus060/rdiffweb prior to 2.4.2.
Severity ?
5.3 (Medium)
CWE
- CWE-756 - Missing Custom Error Page
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ikus060 | ikus060/rdiffweb |
Affected:
unspecified , < 2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.532Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/c40badc3-c9e7-4b69-9e2e-2b9f05865159"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ikus060/rdiffweb/commit/233befc33bdc45d4838c773d5aed4408720504c5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ikus060/rdiffweb",
"vendor": "ikus060",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing Custom Error Page in GitHub repository ikus060/rdiffweb prior to 2.4.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-756",
"description": "CWE-756 Missing Custom Error Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T09:20:10",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/c40badc3-c9e7-4b69-9e2e-2b9f05865159"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ikus060/rdiffweb/commit/233befc33bdc45d4838c773d5aed4408720504c5"
}
],
"source": {
"advisory": "c40badc3-c9e7-4b69-9e2e-2b9f05865159",
"discovery": "EXTERNAL"
},
"title": "Missing Custom Error Page in ikus060/rdiffweb",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3175",
"STATE": "PUBLIC",
"TITLE": "Missing Custom Error Page in ikus060/rdiffweb"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ikus060/rdiffweb",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "ikus060"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing Custom Error Page in GitHub repository ikus060/rdiffweb prior to 2.4.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-756 Missing Custom Error Page"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/c40badc3-c9e7-4b69-9e2e-2b9f05865159",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/c40badc3-c9e7-4b69-9e2e-2b9f05865159"
},
{
"name": "https://github.com/ikus060/rdiffweb/commit/233befc33bdc45d4838c773d5aed4408720504c5",
"refsource": "MISC",
"url": "https://github.com/ikus060/rdiffweb/commit/233befc33bdc45d4838c773d5aed4408720504c5"
}
]
},
"source": {
"advisory": "c40badc3-c9e7-4b69-9e2e-2b9f05865159",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3175",
"datePublished": "2022-09-13T09:20:10",
"dateReserved": "2022-09-12T00:00:00",
"dateUpdated": "2024-08-03T01:00:10.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27998 (GCVE-0-2023-27998)
Vulnerability from cvelistv5 – Published: 2023-09-13 12:29 – Updated: 2024-09-25 17:26
VLAI?
Summary
A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths.
Severity ?
CWE
- CWE-756 - Information disclosure
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | FortiPresence |
Affected:
1.2.0 , ≤ 1.2.1
(semver)
Affected: 1.1.0 , ≤ 1.1.1 (semver) Affected: 1.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:23:30.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://fortiguard.com/psirt/FG-IR-22-288",
"tags": [
"x_transferred"
],
"url": "https://fortiguard.com/psirt/FG-IR-22-288"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:fortipresence:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fortipresence",
"vendor": "fortinet",
"versions": [
{
"status": "affected",
"version": "1.0.0"
},
{
"status": "affected",
"version": "1.1.0"
},
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "1.2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T17:24:33.642111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T17:26:14.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FortiPresence",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "1.1.1",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-756",
"description": "Information disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-13T12:29:15.591Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.com/psirt/FG-IR-22-288",
"url": "https://fortiguard.com/psirt/FG-IR-22-288"
}
],
"solutions": [
{
"lang": "en",
"value": "Please upgrade to FortiPresence version 2.0.0 or above\r\n\u00a0"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2023-27998",
"datePublished": "2023-09-13T12:29:15.591Z",
"dateReserved": "2023-03-09T10:09:33.120Z",
"dateUpdated": "2024-09-25T17:26:14.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.