CVEbaza.plCWE DictionaryCWE-209
Common Weakness Enumeration

CWE-209

Generation of Error Message Containing Sensitive Information

Category: BaseCVE: 666
Description

The product generates an error message that includes sensitive information about its environment, users, or associated data.

CVE vulnerabilities with CWE-209 (666)
10.0
CVSS
CRITICAL
CVE-2025-62168

Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.

pub. 2025-10-17
9.9
CVSS
CRITICAL
CVE-2025-68110

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.

pub. 2025-12-17
9.8
CVSS
CRITICAL
CVE-2026-22778

vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.

pub. 2026-02-02
9.8
CVSS
CRITICAL
CVE-2025-46658

An issue was discovered in ExonautWeb in 4C Strategies Exonaut 21.6. There are verbose error messages.

pub. 2025-08-05
9.8
CVSS
CRITICAL
CVE-2024-28285

A Fault Injection vulnerability in the SymmetricDecrypt function in cryptopp/elgamal.h of Cryptopp Crypto++ 8.9, allows an attacker to co-reside in the same system with a victim process to disclose information and escalate privileges.

pub. 2024-05-14
9.8
CVSS
CRITICAL
CVE-2023-40757

User enumeration is found in PHPJabbers Food Delivery Script v3.1. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2023-40758

User enumeration is found in PHPJabbers Document Creator v1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2023-40759

User enumeration is found in PHP Jabbers Restaurant Booking Script v3.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2023-40760

User enumeration is found in PHP Jabbers Hotel Booking System v4.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2023-40761

User enumeration is found in PHPJabbers Yacht Listing Script v2.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2023-40762

User enumeration is found in PHPJabbers Fundraising Script v1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2023-40763

User enumeration is found in PHPJabbers Taxi Booking Script v2.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2023-40764

User enumeration is found in PHP Jabbers Car Rental Script v3.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2023-40765

User enumeration is found in PHPJabbers Event Booking Calendar v4.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2023-40766

User enumeration is found in in PHPJabbers Ticket Support Script v3.2. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2023-40767

User enumeration is found in in PHPJabbers Make an Offer Widget v1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.

pub. 2023-08-28
9.8
CVSS
CRITICAL
CVE-2021-42777

Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0, when Compilation Mode is used, allows an attacker to execute arbitrary C# code on any machine that renders a report, including the application server or a user's local machine, as demonstrated by System.Diagnostics.Process.Start.

pub. 2022-10-29
9.8
CVSS
CRITICAL
CVE-2019-7644

Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.

pub. 2019-04-11
9.8
CVSS
CRITICAL
CVE-2019-7612

A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.

pub. 2019-03-25
9.8
CVSS
CRITICAL
CVE-2018-14925

Matera Banco 1.0.0 mishandles Java errors in the backend, as demonstrated by a stack trace revealing use of net.sf.acegisecurity components.

pub. 2018-08-03
Showing 20 of 666 vulnerabilities
Information
ID: CWE-209
Type: Base
Vulnerabilities: 666
MITRE CWE ↗
← CWE Dictionary
CWE-209 — Generation of Error Message Containing Sensitive Information | CWE Dictionary | CVEbaza.pl