CWE-CWE-209 CVE - Yack CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2025-43777	1 Liferay	2 Digital Experience Platform, Liferay Portal	2025-12-12	N/A	5.3 MEDIUM
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 exposes "Internal Server Error" in the response body when a login attempt is made with a deleted Client Secret.
CVE-2025-66549	1 Nextcloud	1 Desktop	2025-12-09	N/A	2.4 LOW
Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.
CVE-2025-64749	1 Monospace	1 Directus	2025-12-08	N/A	4.3 MEDIUM
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collecti ... Show More
CVE-2025-52671	1 Revive-adserver	1 Revive Adserver	2025-12-02	N/A	4.3 MEDIUM
Debug information disclosure in the SQL error message to in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to acquire information about the software, PHP and database versions currently in use.
CVE-2024-23689	1 Clickhouse	1 Java Libraries	2025-11-29	N/A	8.8 HIGH
Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.
CVE-2025-13596			2025-11-25	N/A	N/A
A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reco ... Show More
CVE-2025-41076	1 Limesurvey	1 Limesurvey	2025-11-21	N/A	6.5 MEDIUM
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the app ... Show More
CVE-2025-54562	1 Desktopalert	1 Pingalert Application Server	2025-11-20	N/A	4.3 MEDIUM
A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Technical Information to be Disclosed through stack trace.
CVE-2025-9977			2025-11-19	N/A	N/A
Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. SQL injection attacks might also be feasible, although so far creating a working exploit has been prevented probably by backend filtering mechanisms. Additionally, command injection attempts cause the application to return extensive error messages disclosing some information about the internal infras ... Show More
CVE-2025-62397	1 Moodle	1 Moodle	2025-11-14	N/A	5.3 MEDIUM
The router’s inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance.
CVE-2025-40760			2025-11-12	N/A	5.5 MEDIUM
A vulnerability has been identified in Altair Grid Engine (All versions < V2026.0.0). Affected products do not properly handle error messages and discloses sensitive password hash information when processing user authentication requests. This could allow a local attacker to extract password hashes for privileged accounts, which can then be subjected to offline brute-force attacks.
CVE-2025-12365	1 Azure-access	4 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 1 more	2025-11-10	N/A	5.3 MEDIUM
Error Messages Wrapped In HTTP Header.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
CVE-2024-35111	1 Ibm	1 Control Center	2025-11-06	N/A	4.3 MEDIUM
IBM Control Center 6.2.1 and 6.3.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CVE-2025-61959	1 Vertikalsystems	1 Hospital Manager Backend Services	2025-11-06	N/A	5.3 MEDIUM
Prior to September 19, 2025, the Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration 'customErrors mode="Off"', which could have facilitated reconnaissance by unauthenticated attackers.
CVE-2025-62168	1 Squid-cache	1 Squid	2025-11-05	N/A	10.0 CRITICAL
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Sq ... Show More
CVE-2025-9229			2025-11-05	N/A	5.3 MEDIUM
Information disclosure vulnerability in error handling in MiR software prior to version 3.0.0 allows unauthenticated attackers to view detailed error information, such as file paths and other data, via access to verbose error pages.
CVE-2024-21733	1 Apache	1 Tomcat	2025-11-03	N/A	5.3 MEDIUM
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
CVE-2025-52619	1 Hcltech	1 Bigfix Saas	2025-10-29	N/A	5.3 MEDIUM
HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Under certain conditions, error messages disclose sensitive version information about the underlying platform.
CVE-2025-31998	1 Hcltech	1 Unica Centralized Offer Management	2025-10-29	N/A	3.5 LOW
HCL Unica Centralized Offer Management is vulnerable to poor unhandled exceptions which exposes sensitive information. An attacker can exploit use this information to exploit known vulnerabilities launch targeted attacks, such as remote code execution or denial of service.
CVE-2024-29059	1 Microsoft	15 .net Framework, Windows 10 1507, Windows 10 1607 and 12 more	2025-10-28	N/A	7.5 HIGH
.NET Framework Information Disclosure Vulnerability
CVE-2025-0053	1 Sap	1 Sap Basis	2025-10-24	N/A	5.3 MEDIUM
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits.
CVE-2025-55676	1 Microsoft	3 Windows 11 24h2, Windows 11 25h2, Windows Server 2025	2025-10-24	N/A	5.5 MEDIUM
Generation of error message containing sensitive information in Windows USB Video Driver allows an authorized attacker to disclose information locally.
CVE-2025-54291	1 Canonical	1 Lxd	2025-10-24	N/A	5.3 MEDIUM
Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
CVE-2024-41983	1 Siemens	1 Opcenter Quality	2025-10-23	N/A	3.5 LOW
A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application displays SQL statement in the error messages encountered during the generation of reports using Cockpit tool.
CVE-2024-41984	1 Siemens	1 Opcenter Quality	2025-10-22	N/A	2.6 LOW
A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application improperly handles error while accessing an inaccessible resource leading to exposing the system applications.
CVE-2013-7331	1 Microsoft	10 Internet Explorer, Windows 7, Windows 8 and 7 more	2025-10-22	4.3 MEDIUM	6.5 MEDIUM
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.
CVE-2022-35715	3 Ibm, Linux, Microsoft	4 Aix, Infosphere Information Server, Linux Kernel and 1 more	2025-10-20	N/A	7.5 HIGH
IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in a stack trace. This information could be used in further attacks against the system. IBM X-Force ID: 231202.
CVE-2025-40718	1 Quiter	1 Quiter Gateway	2025-10-18	N/A	7.5 HIGH
Improper error handling vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information.
CVE-2024-44762	1 Webmin	1 Usermin	2025-10-15	N/A	5.3 MEDIUM
A discrepancy in error messages for invalid login attempts in Webmin Usermin v2.100 allows attackers to enumerate valid user accounts.
CVE-2025-0279	1 Hcltech	1 Traveler	2025-10-10	N/A	4.3 MEDIUM
HCL Traveler generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks.
CVE-2024-39458	1 Jenkins	1 Structs	2025-10-10	N/A	3.1 LOW
When Jenkins Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters, potentially resulting in accidental exposure of secrets through the default system log.
CVE-2025-53803	1 Microsoft	14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more	2025-10-02	N/A	5.5 MEDIUM
Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally.
CVE-2025-46658	1 4cstrategies	1 Exonaut	2025-10-02	N/A	9.8 CRITICAL
An issue was discovered in ExonautWeb in 4C Strategies Exonaut 21.6. There are verbose error messages.
CVE-2025-48562	1 Google	1 Android	2025-09-26	N/A	5.0 MEDIUM
In writeContent of RemotePrintDocument.java, there is a possible information disclosure due to a logic error. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
CVE-2021-47381	1 Linux	1 Linux Kernel	2025-09-25	N/A	5.5 MEDIUM
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Fix DSP oops stack dump output contents Fix @buf arg given to hex_dump_to_buffer() and stack address used in dump error output.
CVE-2025-54791	1 Openmicroscopy	1 Omero-web	2025-09-23	N/A	5.3 MEDIUM
OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property.
CVE-2025-8852	1 5kcrm	1 Wukongcrm	2025-09-16	4.0 MEDIUM	4.3 MEDIUM
A vulnerability was identified in WuKongOpenSource WukongCRM 11.0. This affects an unknown part of the file /adminFile/upload of the component API Response Handler. The manipulation leads to information exposure through error message. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-36003	1 Ibm	1 Security Verify Governance	2025-09-16	N/A	7.5 HIGH
IBM Security Verify Governance Identity Manager 10.0.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.
CVE-2024-53253	1 Sentry	1 Sentry	2025-09-15	N/A	5.3 MEDIUM
Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application integration. The Client ID and Client Secret would not be displayed in the UI, but would be returned in the underlying HTTP response to the end user. This could occur under the following conditions: An app installation made use ... Show More
CVE-2025-59016	1 Typo3	1 Typo3	2025-09-10	N/A	4.3 MEDIUM
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 exposes "Internal Server Error" in the response body when a login attempt is made with a deleted Client Secret.

Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.

Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collecti ...

Debug information disclosure in the SQL error message to in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to acquire information about the software, PHP and database versions currently in use.

Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.

A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reco ...

In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the app ...

A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Technical Information to be Disclosed through stack trace.

Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. SQL injection attacks might also be feasible, although so far creating a working exploit has been prevented probably by backend filtering mechanisms. Additionally, command injection attempts cause the application to return extensive error messages disclosing some information about the internal infras ...

The router’s inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance.

A vulnerability has been identified in Altair Grid Engine (All versions < V2026.0.0). Affected products do not properly handle error messages and discloses sensitive password hash information when processing user authentication requests. This could allow a local attacker to extract password hashes for privileged accounts, which can then be subjected to offline brute-force attacks.

Error Messages Wrapped In HTTP Header.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

IBM Control Center 6.2.1 and 6.3.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

Prior to September 19, 2025, the Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration 'customErrors mode="Off"', which could have facilitated reconnaissance by unauthenticated attackers.

Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Sq ...

Information disclosure vulnerability in error handling in MiR software prior to version 3.0.0 allows unauthenticated attackers to view detailed error information, such as file paths and other data, via access to verbose error pages.

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.

HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Under certain conditions, error messages disclose sensitive version information about the underlying platform.

HCL Unica Centralized Offer Management is vulnerable to poor unhandled exceptions which exposes sensitive information. An attacker can exploit use this information to exploit known vulnerabilities launch targeted attacks, such as remote code execution or denial of service.

.NET Framework Information Disclosure Vulnerability

SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits.

Generation of error message containing sensitive information in Windows USB Video Driver allows an authorized attacker to disclose information locally.

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application displays SQL statement in the error messages encountered during the generation of reports using Cockpit tool.

A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application improperly handles error while accessing an inaccessible resource leading to exposing the system applications.

The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.

IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in a stack trace. This information could be used in further attacks against the system. IBM X-Force ID: 231202.

Improper error handling vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information.

A discrepancy in error messages for invalid login attempts in Webmin Usermin v2.100 allows attackers to enumerate valid user accounts.

HCL Traveler generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks.

When Jenkins Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters, potentially resulting in accidental exposure of secrets through the default system log.

Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally.

An issue was discovered in ExonautWeb in 4C Strategies Exonaut 21.6. There are verbose error messages.

In writeContent of RemotePrintDocument.java, there is a possible information disclosure due to a logic error. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Fix DSP oops stack dump output contents Fix @buf arg given to hex_dump_to_buffer() and stack address used in dump error output.

OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property.

A vulnerability was identified in WuKongOpenSource WukongCRM 11.0. This affects an unknown part of the file /adminFile/upload of the component API Response Handler. The manipulation leads to information exposure through error message. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

IBM Security Verify Governance Identity Manager 10.0.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system.

Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application integration. The Client ID and Client Secret would not be displayed in the UI, but would be returned in the underlying HTTP response to the end user. This could occur under the following conditions: An app installation made use ... Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application integration. The Client ID and Client Secret would not be displayed in the UI, but would be returned in the underlying HTTP response to the end user. This could occur under the following conditions: An app installation made use of a Search UI component with the `async` flag set to true (default: true); auser types types into the Search Component which creates a request to the third-party for search or query results; and that third-party response may then fail validation and Sentry would return the `select-requester.invalid-response` error code along with a serialized version of a Sentry application containing the integration Client Secret. Should this error be found, it's reasonable to assume the potential exposure of an integration Client Secret. However, an ID and Secret pair alone does not provide direct access to any data. For that secret to be abused an attacker would also need to obtain a valid API token for a Sentry application. Sentry SaaS users do not need to take any action. For Sentry SaaS users, only a single application integration was impacted and the owner has rotated their Client Secret. No abuse of the leaked Client Secret has occurred. As of time of publication, a fix is available for users of Sentry self-hosted in pull request 81038. Sentry self-hosted does not ship with any application integrations. This could only impact self-hosted users that maintain their own integrations. In that case, search for a `select-requester.invalid-response` event. Please note that this error was also shared with another event unrelated to this advisory so Sentry self-hosted users will also need to review the parameters logged for each named event. Sentry self-hosted users may review `select_requester.py` for the instances where these errors can be generated. With the security fix this is no longer a shared event type. Sentry self-hosted users may not install version 24.11.0 and instead wait for the next release. Self-hosted instance that are already running the affected version may consider downgrading to to 24.10.0.

Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.

Vulnerabilities (CVE)