CVEbaza.plSłownik CWECWE-540
Common Weakness Enumeration

CWE-540

Inclusion of Sensitive Information in Source Code

Kategoria: BaseCVE: 30
Opis

Kod źródłowy na serwerze WWW lub w repozytorium często zawiera poufne informacje i zwykle nie powinien być dostępny dla użytkowników. Ujawnienie takiego kodu stanowi poważne zagrożenie dla bezpieczeństwa aplikacji.

Description (EN)

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

Podatności CVE z CWE-540 (30)
9.3
CVSS
CRITICAL
CVE-2025-23215

Narzędzie do statycznej analizy kodu PMD oraz PMD Designer opublikowały archiwa JAR na Maven Central zawierające passphrase do kluczy podpisujących wydania. Ze względu na ujawnienie passphrase, klucze prywatne muszą być traktowane jako potencjalnie skompromitowane.

pub. 2025-01-31
8.2
CVSS
HIGH
CVE-2025-26013

An issue in Loggrove v.1.0 allows a remote attacker to obtain sensitive information via the read.py component.

pub. 2025-02-21
7.9
CVSS
HIGH
CVE-2024-38647

An exposure of sensitive information vulnerability has been reported to affect QNAP AI Core. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following version: QNAP AI Core 3.4.1 and later

pub. 2024-11-22
7.8
CVSS
HIGH
CVE-2023-39250

Dell Storage Integration Tools for VMware (DSITV) and Dell Storage vSphere Client Plugin (DSVCP) versions prior to 6.1.1 and Replay Manager for VMware (RMSV) versions prior to 3.1.2 contain an information disclosure vulnerability. A local low-privileged malicious user could potentially exploit this vulnerability to retrieve an encryption key that could aid in further attacks.

pub. 2023-08-16
7.8
CVSS
HIGH
CVE-2021-28805

Inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read application data. This issue affects: QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2C; versions prior to 1.0.3 build 20210505 on QSW-M2108-2S; versions prior to 1.0.3 build 20210505 on QSW-M2108R-2C; versions prior to 1.0.12 build 20210506 on QSW-M408.

pub. 2021-06-11
7.5
CVSS
HIGH
CVE-2026-45728

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7.

pub. 2026-05-26
7.5
CVSS
HIGH
CVE-2026-4155

ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the genpw script. The issue results from the inclusion of a secret cryptographic seed value within the script. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26340.

pub. 2026-04-11
7.5
CVSS
HIGH
CVE-2025-49182

Files in the source code contain login credentials for the admin user and the property configuration password, allowing an attacker to get full access to the application.

pub. 2025-06-12
7.5
CVSS
HIGH
CVE-2024-1272

Inclusion of Sensitive Information in Source Code vulnerability in TNB Mobile Solutions Cockpit Software allows Retrieve Embedded Sensitive Data. This issue affects Cockpit Software: before v0.251.1.

pub. 2024-06-05
6.9
CVSS
MEDIUM
CVE-2026-35383

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.

pub. 2026-04-02
6.8
CVSS
MEDIUM
CVE-2024-38327

IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application's API.

pub. 2025-07-10
6.5
CVSS
MEDIUM
CVE-2021-34638

Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension This issue affects: WordPress Download Manager version 3.1.24 and prior versions.

pub. 2021-08-05
5.3
CVSS
MEDIUM
CVE-2025-0923

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server that could aid in further attacks against the system.

pub. 2025-06-11
5.3
CVSS
MEDIUM
CVE-2024-35144

IBM Maximo Application Suite 8.10, 8.11, and 9.0 - Monitor Component stores source code on the web server that could aid in further attacks against the system.

pub. 2025-01-25
5.3
CVSS
MEDIUM
CVE-2024-2265

A vulnerability, which was classified as problematic, was found in keerti1924 PHP-MYSQL-User-Login-System 1.0. This affects an unknown part of the file login.sql. The manipulation leads to inclusion of sensitive information in source code. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256035. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

pub. 2024-03-07
5.3
CVSS
MEDIUM
CVE-2023-30802

The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to a source code disclosure vulnerability. A remote and unauthenticated attacker can obtain PHP source code by sending an HTTP request with an invalid Content-Length field.

pub. 2023-10-10
5.3
CVSS
MEDIUM
CVE-2023-23448

Inclusion of Sensitive Information in Source Code in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to gain information about valid usernames via analysis of source code.

pub. 2023-05-15
5.1
CVSS
MEDIUM
CVE-2025-3403

A vulnerability was found in Vivotek NVR ND8422P, NVR ND9525P and NVR ND9541P 2.4.0.204/3.3.0.104/4.2.0.101. It has been classified as problematic. Affected is an unknown function of the component HTML Form Handler. The manipulation leads to inclusion of sensitive information in source code. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

pub. 2025-04-08
4.9
CVSS
MEDIUM
CVE-2021-34744

Multiple vulnerabilities in Cisco Business 220 Series Smart Switches firmware could allow an attacker with Administrator privileges to access sensitive login credentials or reconfigure the passwords on the user account. For more information about these vulnerabilities, see the Details section of this advisory.

pub. 2021-10-06
4.9
CVSS
MEDIUM
CVE-2021-34757

Multiple vulnerabilities in Cisco Business 220 Series Smart Switches firmware could allow an attacker with Administrator privileges to access sensitive login credentials or reconfigure the passwords on the user account. For more information about these vulnerabilities, see the Details section of this advisory.

pub. 2021-10-06
Pokazano 20 z 30 podatności
Informacje
ID: CWE-540
Typ: Base
Podatności: 30
MITRE CWE ↗
← Słownik CWE