Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-49009

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-05 Jun, 2025 | 16:40
Updated At-17 Jun, 2025 | 13:54
Rejected At-
Credits

Para Inserts Sensitive Information into Log File for Facebook authentication

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:05 Jun, 2025 | 16:40
Updated At:17 Jun, 2025 | 13:54
Rejected At:
â–¼CVE Numbering Authority (CNA)
Para Inserts Sensitive Information into Log File for Facebook authentication

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue.

Affected Products
Vendor
Erudika
Product
para
Versions
Affected
  • < 1.50.8
Problem Types
TypeCWE IDDescription
CWECWE-532CWE-532: Insertion of Sensitive Information into Log File
Type: CWE
CWE ID: CWE-532
Description: CWE-532: Insertion of Sensitive Information into Log File
Metrics
VersionBase scoreBase severityVector
3.16.2MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 6.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g
x_refsource_CONFIRM
https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf
x_refsource_MISC
Hyperlink: https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:05 Jun, 2025 | 17:15
Updated At:05 Jun, 2025 | 20:12

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.2MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 6.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-532Primarysecurity-advisories@github.com
CWE ID: CWE-532
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cfsecurity-advisories@github.com
N/A
https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545gsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

15Records found
CVE-2025-48955
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.14% / 4.12%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 11:11
Updated-02 Jun, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Para Server Logs Sensitive Information

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.

Action-Not Available
Vendor-Erudika
Product-para
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2022-43923
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.19% / 8.62%
||
7 Day CHG~0.00%
Published-24 Feb, 2023 | 14:13
Updated-11 Mar, 2025 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Maximo Application Suite 8.8.0 and 8.9.0 stores potentially sensitive information that could be read by a local user. IBM X-Force ID: 241584.

Action-Not Available
Vendor-IBM Corporation
Product-maximo_application_suiteMaximo Application Suite
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2026-20818
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.69% / 48.02%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 17:56
Updated-01 Apr, 2026 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Kernel Information Disclosure Vulnerability

Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2016windows_server_2022_23h2windows_server_2025windows_server_2019windows_server_2022Windows Server 2025Windows Server 2022, 23H2 Edition (Server Core installation)Windows Server 2025 (Server Core installation)Windows Server 2016Windows Server 2019 (Server Core installation)Windows Server 2022Windows Server 2016 (Server Core installation)Windows Server 2019
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2024-45091
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.20% / 9.94%
||
7 Day CHG+0.01%
Published-21 Jan, 2025 | 00:41
Updated-29 Jan, 2025 | 21:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM UrbanCode Deploy information disclosure

IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.24, 7.1 through 7.1.2.10, and 7.2 through 7.2.3.13 stores potentially sensitive information in log files that could be read by a local user with access to HTTP request logs.

Action-Not Available
Vendor-IBM Corporation
Product-urbancode_deployUrbanCode Deploy
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2024-42196
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-6.2||MEDIUM
EPSS-0.15% / 4.57%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 14:47
Updated-14 Apr, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Launch is susceptible to Insertion of Sensitive Information into Log File vulnerability

HCL Launch stores potentially sensitive information in log files that could be read by a local user with access to HTTP request logs.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_launchLaunch
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2021-22184
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.30% / 21.70%
||
7 Day CHG~0.00%
Published-26 Mar, 2021 | 19:11
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2021-20536
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.27% / 17.79%
||
7 Day CHG~0.00%
Published-26 Apr, 2021 | 16:30
Updated-16 Sep, 2024 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Spectrum Protect Plus File Systems Agent 10.1.6 and 10.1.7 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 198836.

Action-Not Available
Vendor-Microsoft CorporationIBM Corporation
Product-windowsspectrum_protect_plusSpectrum Protect Plus
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2025-59258
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.54% / 41.04%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 17:00
Updated-22 Feb, 2026 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Active Directory Federation Services (ADFS) Information Disclosure Vulnerability

Insertion of sensitive information into log file in Active Directory Federation Services allows an unauthorized attacker to disclose information locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2012windows_server_2022windows_server_2022_23h2windows_server_2025windows_server_2019windows_server_2016Windows Server 2025Windows Server 2022Windows Server 2025 (Server Core installation)Windows Server 2012 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2016Windows Server 2012 R2Windows Server 2022, 23H2 Edition (Server Core installation)Windows Server 2016 (Server Core installation)Windows Server 2019Windows Server 2012Windows Server 2012 R2 (Server Core installation)
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2024-27154
Matching Score-4
Assigner-Toshiba Corporation
ShareView Details
Matching Score-4
Assigner-Toshiba Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.25% / 16.24%
||
7 Day CHG~0.00%
Published-14 Jun, 2024 | 02:58
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Passwords are stored in clear-text logs.

Passwords are stored in clear-text logs. An attacker can retrieve passwords. As for the affected products/models/versions, see the reference URL.

Action-Not Available
Vendor-Toshiba Tec Corporationtoshibatec
Product-Toshiba Tec e-Studio multi-function peripheral (MFP)e-studio-4528-age-studio-2020_ace-studio-3115-nce-studio-2110-ace-studio-2015-nce-studio-3015-nce-studio-2510-ace-studio-3028-ae-studio-2515-nce-studio-5525_ace-studio-5528-ae-studio-4515_ace-studio-2518_ae-studio-400-ace-studio-3118_ae-studio-3525_ace-studio-3118_age-studio-2528-ae-studio-4615_ace-studio-2520_nce-studio-2618_ae-studio-9029-ae-studio-3018_ae-studio-7527-ace-studio-4525_ace-studio-2018_ae-studio-2021_ace-studio-2521_ace-studio-3025_ace-studio-6525_ace-studio-3528-age-studio-6527-ace-studio-2610-ace-studio-5015_ace-studio-6529-ae-studio-3515-nce-studio-6528-ae-studio-3528-ae-studio-3615-nce-studio-7529-ae-studio-2010-ace-studio-4528-ae-studio-2615-nce-studio-6526-ace-studio-5525_acge-studio-330-ace-studio-5115_ace-studio-2525_ace-studio-6525_acge-studio-3525_acg
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2024-25030
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.19% / 8.89%
||
7 Day CHG~0.00%
Published-03 Apr, 2024 | 12:14
Updated-13 Feb, 2025 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 281677.

Action-Not Available
Vendor-IBM Corporation
Product-db2Db2 for Linux, UNIX and Windows
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-40694
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.17% / 6.37%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 21:09
Updated-20 Aug, 2025 | 03:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Watson CP4D Data Stores information disclosure

IBM Watson CP4D Data Stores 4.0.0 through 4.8.4 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 264838.

Action-Not Available
Vendor-Red Hat, Inc.IBM Corporation
Product-openshiftwatson_cp4d_data_storesWatson CP4D Data Stores
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2025-36050
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.15% / 4.82%
||
7 Day CHG~0.00%
Published-19 Jun, 2025 | 17:13
Updated-26 Aug, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM QRadar SIEM information disclosure

IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 stores potentially sensitive information in log files that could be read by a local user.

Action-Not Available
Vendor-IBM Corporation
Product-QRadar SIEM
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2026-9073
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.2||MEDIUM
EPSS-Not Assigned
Published-23 Jun, 2026 | 19:53
Updated-24 Jun, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foreman-mcp-server: mcp server: insecure sensitive http header sanitization

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug logging is enabled, incompletely sanitizes HTTP request headers, leading to the cleartext logging of sensitive information such as authorization tokens and API keys. This vulnerability can result in a confidentiality breach, as sensitive authentication data is persisted in plain text within container logs, increasing the risk if logs are forwarded to a centralized platform.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Satellite 6.19
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-25682
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.23% / 13.36%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 18:45
Updated-02 Aug, 2024 | 11:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Sterling B2B Integrator information disclosure

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.1 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 247034.

Action-Not Available
Vendor-IBM Corporation
Product-sterling_b2b_integratorSterling B2B Integrator Standard Edition
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2022-43930
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.2||MEDIUM
EPSS-0.49% / 38.39%
||
7 Day CHG~0.00%
Published-17 Feb, 2023 | 17:04
Updated-12 Mar, 2025 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Db2 for Linux, UNIX and Windows information disclosure

IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to an Information Disclosure as sensitive information may be included in a log file. IBM X-Force ID: 241677.

Action-Not Available
Vendor-IBM CorporationMicrosoft Corporation
Product-windowsdb2Db2 for Linux, UNIX and Windows
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
Details not found