Dontgitit

**Name of the Vulnerable Software and Affected Versions** Play Framework versions prior to 2.8.16 **Description** The issue concerns the generation of error messages containing sensitive information in Play Framework. When run in dev mode, Play Framework shows verbose errors for easy debugging, including an exception stack trace. This behavior is configured by the `DefaultHttpErrorHandler` based on the application mode. However, the static object `DefaultHttpErrorHandler` is configured to always show verbose errors, which can be inadvertently used in production or improperly configured as the injected error handler. This could result in verbose errors displaying to users in a production application, exposing sensitive information. Specifically, the constructor for `CORSFilter` and the `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. **Recommendations** For versions prior to 2.8.16, when constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally, this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play's `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production. Update to Play Framework 2.8.16, where the `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior.