Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-26051

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-02 Mar, 2023 | 18:29
Updated At-05 Mar, 2025 | 20:41
Rejected At-
Credits

Saleor is vulnerable to staff-authenticated error message information disclosure vulnerability via Python exceptions

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:02 Mar, 2023 | 18:29
Updated At:05 Mar, 2025 | 20:41
Rejected At:
▼CVE Numbering Authority (CNA)
Saleor is vulnerable to staff-authenticated error message information disclosure vulnerability via Python exceptions

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests.

Affected Products
Vendor
saleor
Product
saleor
Versions
Affected
  • >= 2.0.0, < 3.1.48
  • >= 3.11.0, < 3.11.12
  • >= 3.10.0, < 3.10.14
  • >= 3.9.0, < 3.9.27
  • >= 3.8.0, < 3.8.30
  • >= 3.7.0, < 3.7.59
Problem Types
TypeCWE IDDescription
CWECWE-209CWE-209: Generation of Error Message Containing Sensitive Information
Type: CWE
CWE ID: CWE-209
Description: CWE-209: Generation of Error Message Containing Sensitive Information
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/saleor/saleor/security/advisories/GHSA-r8qr-wwg3-2r85
x_refsource_CONFIRM
https://github.com/saleor/saleor/commit/31bce881ccccf0d79a9b14ecb6ca3138d1edeec1
x_refsource_MISC
https://github.com/saleor/saleor/releases/tag/3.1.48
x_refsource_MISC
https://github.com/saleor/saleor/releases/tag/3.10.14
x_refsource_MISC
https://github.com/saleor/saleor/releases/tag/3.11.12
x_refsource_MISC
https://github.com/saleor/saleor/releases/tag/3.7.59
x_refsource_MISC
https://github.com/saleor/saleor/releases/tag/3.8.30
x_refsource_MISC
https://github.com/saleor/saleor/releases/tag/3.9.27
x_refsource_MISC
Hyperlink: https://github.com/saleor/saleor/security/advisories/GHSA-r8qr-wwg3-2r85
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/saleor/saleor/commit/31bce881ccccf0d79a9b14ecb6ca3138d1edeec1
Resource:
x_refsource_MISC
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.1.48
Resource:
x_refsource_MISC
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.10.14
Resource:
x_refsource_MISC
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.11.12
Resource:
x_refsource_MISC
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.7.59
Resource:
x_refsource_MISC
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.8.30
Resource:
x_refsource_MISC
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.9.27
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/saleor/saleor/security/advisories/GHSA-r8qr-wwg3-2r85
x_refsource_CONFIRM
x_transferred
https://github.com/saleor/saleor/commit/31bce881ccccf0d79a9b14ecb6ca3138d1edeec1
x_refsource_MISC
x_transferred
https://github.com/saleor/saleor/releases/tag/3.1.48
x_refsource_MISC
x_transferred
https://github.com/saleor/saleor/releases/tag/3.10.14
x_refsource_MISC
x_transferred
https://github.com/saleor/saleor/releases/tag/3.11.12
x_refsource_MISC
x_transferred
https://github.com/saleor/saleor/releases/tag/3.7.59
x_refsource_MISC
x_transferred
https://github.com/saleor/saleor/releases/tag/3.8.30
x_refsource_MISC
x_transferred
https://github.com/saleor/saleor/releases/tag/3.9.27
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/saleor/saleor/security/advisories/GHSA-r8qr-wwg3-2r85
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/saleor/saleor/commit/31bce881ccccf0d79a9b14ecb6ca3138d1edeec1
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.1.48
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.10.14
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.11.12
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.7.59
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.8.30
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.9.27
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:02 Mar, 2023 | 19:15
Updated At:07 Nov, 2023 | 04:09

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CPE Matches
saleor
saleor
>>saleor>>Versions from 2.0.0(inclusive) to 3.1.48(exclusive)
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*
saleor
saleor
>>saleor>>Versions from 3.2.0(inclusive) to 3.7.59(exclusive)
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*
saleor
saleor
>>saleor>>Versions from 3.8.0(inclusive) to 3.8.30(exclusive)
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*
saleor
saleor
>>saleor>>Versions from 3.9.0(inclusive) to 3.9.27(exclusive)
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*
saleor
saleor
>>saleor>>Versions from 3.10.0(inclusive) to 3.10.14(exclusive)
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*
saleor
saleor
>>saleor>>Versions from 3.11.0(inclusive) to 3.11.12(exclusive)
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-209Primarynvd@nist.gov
CWE-209Secondarysecurity-advisories@github.com
CWE ID: CWE-209
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-209
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/saleor/saleor/commit/31bce881ccccf0d79a9b14ecb6ca3138d1edeec1security-advisories@github.com
Patch
https://github.com/saleor/saleor/releases/tag/3.1.48security-advisories@github.com
Release Notes
https://github.com/saleor/saleor/releases/tag/3.10.14security-advisories@github.com
Release Notes
https://github.com/saleor/saleor/releases/tag/3.11.12security-advisories@github.com
Release Notes
https://github.com/saleor/saleor/releases/tag/3.7.59security-advisories@github.com
Release Notes
https://github.com/saleor/saleor/releases/tag/3.8.30security-advisories@github.com
Release Notes
https://github.com/saleor/saleor/releases/tag/3.9.27security-advisories@github.com
Release Notes
https://github.com/saleor/saleor/security/advisories/GHSA-r8qr-wwg3-2r85security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/saleor/saleor/commit/31bce881ccccf0d79a9b14ecb6ca3138d1edeec1
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.1.48
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.10.14
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.11.12
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.7.59
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.8.30
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/saleor/saleor/releases/tag/3.9.27
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/saleor/saleor/security/advisories/GHSA-r8qr-wwg3-2r85
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

112Records found
CVE-2021-39033
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 35.43%
||
7 Day CHG~0.00%
Published-19 Apr, 2022 | 16:15
Updated-16 Sep, 2024 | 23:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 213963.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-sterling_b2b_integratoraixwindowslinux_kernelSterling B2B Integrator
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2021-26997
Matching Score-4
Assigner-NetApp, Inc.
ShareView Details
Matching Score-4
Assigner-NetApp, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 46.65%
||
7 Day CHG~0.00%
Published-11 Jun, 2021 | 12:44
Updated-03 Aug, 2024 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

E-Series SANtricity OS Controller Software 11.x versions prior to 11.70.1 are susceptible to a vulnerability which when successfully exploited could allow a remote attacker to discover information via error messaging which may aid in crafting more complex attacks.

Action-Not Available
Vendor-n/aNetApp, Inc.
Product-e-series_santricity_os_controllerE-Series SANtricity OS Controller Software 11.x
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2024-5435
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.5||MEDIUM
EPSS-0.07% / 22.20%
||
7 Day CHG+0.01%
Published-12 Sep, 2024 | 16:56
Updated-14 Sep, 2024 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Generation of Error Message Containing Sensitive Information in GitLab

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2024-51460
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 23.98%
||
7 Day CHG+0.02%
Published-11 Dec, 2024 | 12:15
Updated-14 Jan, 2025 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM InfoSphere Information Server information disclosure

IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information when a detailed technical error message is returned in a stack trace. This information could be used in further attacks against the system.

Action-Not Available
Vendor-IBM Corporation
Product-infosphere_information_serverInfoSphere Information Server
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2024-51560
Matching Score-4
Assigner-Indian Computer Emergency Response Team (CERT-In)
ShareView Details
Matching Score-4
Assigner-Indian Computer Emergency Response Team (CERT-In)
CVSS Score-7.1||HIGH
EPSS-0.10% / 28.87%
||
7 Day CHG~0.00%
Published-04 Nov, 2024 | 12:23
Updated-08 Nov, 2024 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Error Handling Vulnerability in Wave 2.0

This vulnerability exists in the Wave 2.0 due to improper exception handling for invalid inputs at certain API endpoint. An authenticated remote attacker could exploit this vulnerability by providing invalid inputs for “userId” parameter in the API request leading to generation of error message containing sensitive information on the targeted system.

Action-Not Available
Vendor-63moonsBrokerage Technology Solutions
Product-wave_2.0aeroWave 2.0
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2022-34882
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9||CRITICAL
EPSS-0.13% / 33.34%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 06:30
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Exposure Vulnerability in RAID Manager Storage Replication Adapter

Information Exposure Through an Error Message vulnerability in Hitachi RAID Manager Storage Replication Adapter allows remote authenticated users to gain sensitive information. This issue affects: Hitachi RAID Manager Storage Replication Adapter 02.01.04 versions prior to 02.03.02 on Windows; 02.05.00 versions prior to 02.05.01 on Windows and Docker.

Action-Not Available
Vendor-Docker, Inc.Hitachi, Ltd.Microsoft Corporation
Product-dockerwindowsraid_manager_storage_replication_adapterRAID Manager Storage Replication Adapter
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2024-49818
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 15.89%
||
7 Day CHG~0.00%
Published-17 Dec, 2024 | 17:35
Updated-07 Jan, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Guardium Key Lifecycle Manager information disclosure

IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

Action-Not Available
Vendor-IBM Corporation
Product-security_guardium_key_lifecycle_managerSecurity Guardium Key Lifecycle Manager
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2024-49798
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.21%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 23:50
Updated-22 Feb, 2025 | 22:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM ApplinX Information Disclosure

IBM ApplinX 11.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

Action-Not Available
Vendor-IBM Corporation
Product-applinxApplinX
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2021-32775
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.29% / 51.80%
||
7 Day CHG~0.00%
Published-21 Jul, 2021 | 20:20
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Any user can see any fields (including mailbox password) with GroupBy Dashlet

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field values through GroupBy Dashlet error message. This issue is fixed in versions 2.7.4 and 3.0.0.

Action-Not Available
Vendor-combodoCombodo
Product-itopiTop
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2021-20371
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.77%
||
7 Day CHG~0.00%
Published-02 Jun, 2021 | 20:40
Updated-16 Sep, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Jazz Foundation and IBM Engineering products could allow a remote attacker to obtain sensitive information when an error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 195516.

Action-Not Available
Vendor-IBM Corporation
Product-rational_doors_next_generationrational_engineering_lifecycle_managerengineering_test_managementrational_quality_managerengineering_lifecycle_optimization_-_publishingremovable_media_managerengineering_lifecycle_optimization_-_engineering_insightscollaborative_lifecycle_managementengineering_lifecycle_managementRational Quality ManagerRational DOORS Next GenerationRational Rhapsody Model ManagerRational Collaborative Lifecycle ManagementEngineering Lifecycle OptimizationRational Engineering Lifecycle ManagerEngineering Test Management
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2021-20413
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.38%
||
7 Day CHG~0.00%
Published-28 Jun, 2021 | 15:55
Updated-16 Sep, 2024 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Guardium Data Encryption (GDE) 4.0.0.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196212.

Action-Not Available
Vendor-IBM Corporation
Product-guardium_data_encryptionGuardium Data Encryption
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2024-35155
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 12.30%
||
7 Day CHG~0.00%
Published-28 Jun, 2024 | 17:40
Updated-02 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM MQ information disclosure

IBM MQ Console 9.3 LTS and 9.3 CD could disclose could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 292765.

Action-Not Available
Vendor-IBM Corporation
Product-mqMQ
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found