Common Weakness Enumeration

CWE-532

Allowed

Insertion of Sensitive Information into Log File

Abstraction: Base · Status: Incomplete

The product writes sensitive information to a log file.

1744 vulnerabilities reference this CWE, most recent first.

GHSA-FHC3-6CC5-9WM2

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:19
VLAI
Details

The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-22T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.",
  "id": "GHSA-fhc3-6cc5-9wm2",
  "modified": "2024-04-04T01:19:57Z",
  "published": "2022-05-24T16:50:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13098"
    },
    {
      "type": "WEB",
      "url": "https://pastebin.com/a5VhaxYn"
    },
    {
      "type": "WEB",
      "url": "https://pastebin.com/raw/rVGbwSw0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJ3R-HWRR-XQFR

Vulnerability from github – Published: 2026-02-20 00:31 – Updated: 2026-02-20 00:31
VLAI
Details

Tanium addressed an insertion of sensitive information into log file vulnerability in Interact and TDS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T00:16:17Z",
    "severity": "MODERATE"
  },
  "details": "Tanium addressed an insertion of sensitive information into log file vulnerability in Interact and TDS.",
  "id": "GHSA-fj3r-hwrr-xqfr",
  "modified": "2026-02-20T00:31:53Z",
  "published": "2026-02-20T00:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2350"
    },
    {
      "type": "WEB",
      "url": "https://security.tanium.com/TAN-2026-008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJQQ-2VWG-X669

Vulnerability from github – Published: 2023-05-31 00:31 – Updated: 2024-04-04 04:24
VLAI
Details

An issue was discovered in Faronics Insight 10.0.19045 on Windows. Every keystroke made by any user on a computer with the Student application installed is logged to a world-readable directory. A local attacker can trivially extract these cleartext keystrokes, potentially enabling them to obtain PII and/or to compromise personal accounts owned by the victim.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-31T00:15:10Z",
    "severity": "LOW"
  },
  "details": "An issue was discovered in Faronics Insight 10.0.19045 on Windows. Every keystroke made by any user on a computer with the Student application installed is logged to a world-readable directory. A local attacker can trivially extract these cleartext keystrokes, potentially enabling them to obtain PII and/or to compromise personal accounts owned by the victim.",
  "id": "GHSA-fjqq-2vwg-x669",
  "modified": "2024-04-04T04:24:40Z",
  "published": "2023-05-31T00:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28351"
    },
    {
      "type": "WEB",
      "url": "https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight"
    },
    {
      "type": "WEB",
      "url": "https://research.nccgroup.com/?research=Technical%20advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJXV-6346-8J89

Vulnerability from github – Published: 2022-12-12 18:30 – Updated: 2022-12-15 18:30
VLAI
Details

An insertion of sensitive information into log file vulnerability exists in PcVue versions 15 through 15.2.2. This could allow a user with access to the log files to discover connection strings of data sources configured for the DbConnect, which could include credentials. Successful exploitation of this vulnerability could allow other users unauthorized access to the underlying data sources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-12T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insertion of sensitive information into log file vulnerability exists in PcVue versions 15 through 15.2.2. This could allow a user with access to the log files to discover connection strings of data sources configured for the DbConnect, which could include credentials. Successful exploitation of this vulnerability could allow other users unauthorized access to the underlying data sources.",
  "id": "GHSA-fjxv-6346-8j89",
  "modified": "2022-12-15T18:30:24Z",
  "published": "2022-12-12T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4311"
    },
    {
      "type": "WEB",
      "url": "https://www.pcvuesolutions.com/support/index.php/en/security-bulletin/1165-security-bulletin-2022-6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMG6-FMH4-F53C

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30
VLAI
Details

Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T18:17:28Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.",
  "id": "GHSA-fmg6-fmh4-f53c",
  "modified": "2026-04-14T18:30:42Z",
  "published": "2026-04-14T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32215"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32215"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMJQ-R684-53F6

Vulnerability from github – Published: 2022-05-14 01:28 – Updated: 2022-05-14 01:28
VLAI
Details

The LinuxMagic MagicSpam extension before 2.0.14-1 for Plesk allows local users to discover mailbox names by reading /var/log/magicspam/mslog.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-14T04:29:00Z",
    "severity": "LOW"
  },
  "details": "The LinuxMagic MagicSpam extension before 2.0.14-1 for Plesk allows local users to discover mailbox names by reading /var/log/magicspam/mslog.",
  "id": "GHSA-fmjq-r684-53f6",
  "modified": "2022-05-14T01:28:42Z",
  "published": "2022-05-14T01:28:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5693"
    },
    {
      "type": "WEB",
      "url": "https://www.vulnerability-lab.com/get_content.php?id=2113"
    },
    {
      "type": "WEB",
      "url": "http://forums.wizard.ca/viewtopic.php?f=17\u0026t=236760"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FP3R-VJ8X-58WW

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Insertion of sensitive information into log file in Active Directory Federation Services allows an unauthorized attacker to disclose information locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:16:08Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of sensitive information into log file in Active Directory Federation Services allows an unauthorized attacker to disclose information locally.",
  "id": "GHSA-fp3r-vj8x-58ww",
  "modified": "2025-10-14T18:30:35Z",
  "published": "2025-10-14T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59258"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59258"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FPP3-FR29-G442

Vulnerability from github – Published: 2026-02-10 06:30 – Updated: 2026-02-10 06:30
VLAI
Details

AXIS Camera Station Pro contained a flaw to perform a privilege escalation attack on the server as a non-admin user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11547"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T06:15:53Z",
    "severity": "HIGH"
  },
  "details": "AXIS Camera Station Pro contained a flaw to\u00a0perform a privilege escalation attack on the server as a non-admin user.",
  "id": "GHSA-fpp3-fr29-g442",
  "modified": "2026-02-10T06:30:39Z",
  "published": "2026-02-10T06:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11547"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/permalink/253485/cve-2025-11547pdf-en-US_253485.pdf?noS3=1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FPQQ-XVP5-HHMQ

Vulnerability from github – Published: 2025-11-26 18:31 – Updated: 2025-11-26 18:31
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.0.0 before 5.2.12.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8663"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-03T07:15:34Z",
    "severity": "HIGH"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.0.0 before 5.2.12.",
  "id": "GHSA-fpqq-xvp5-hhmq",
  "modified": "2025-11-26T18:31:01Z",
  "published": "2025-11-26T18:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8663"
    },
    {
      "type": "WEB",
      "url": "https://support.upkeeper.se/hc/en-us/articles/22107280228252-CVE-2025-8663-Insertion-of-Sensitive-Information-into-Log-File"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FQWF-C5XQ-HMCF

Vulnerability from github – Published: 2024-03-29 18:30 – Updated: 2026-04-28 21:34
VLAI
Details

Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.45.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-29T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of Sensitive Information into Log File vulnerability in Fr\u00e9d\u00e9ric GILLES FG PrestaShop to WooCommerce.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.45.1.",
  "id": "GHSA-fqwf-c5xq-hmcf",
  "modified": "2026-04-28T21:34:25Z",
  "published": "2024-03-29T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30511"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/fg-prestashop-to-woocommerce/wordpress-fg-prestashop-to-woocommerce-plugin-4-45-1-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation
Distribution

Remove debug log files before deploying the application into production.

Mitigation
Operation

Protect log files against unauthorized read/write.

Mitigation
Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.