PT-2020-12917 · Divante · Vue-Storefront-Api+1

Gibkigonzo

Published

2020-04-17

Updated

2022-05-24

CVE-2020-11883

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Divante vue-storefront-api versions 1.11.1 and earlier Divante storefront-api versions 1.0-rc.1 and earlier

Description The issue arises from unexpected HTTP requests that lead to an exception, resulting in the disclosure of the error stack trace. This error stack trace includes absolute file paths and Node.js module names.

Recommendations For Divante vue-storefront-api versions 1.11.1 and earlier, consider implementing error handling to prevent the disclosure of sensitive information in the error stack trace. For Divante storefront-api versions 1.0-rc.1 and earlier, restrict access to error messages that may contain absolute file paths and Node.js module names to minimize the risk of exploitation.

Exploit

Fix

Information Disclosure

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-209

Related Identifiers

CVE-2020-11883

GHSA-9WXJ-37P8-49FF

Affected Products

Storefront-Api

Vue-Storefront-Api

PT-2020-12917 · Divante · Vue-Storefront-Api+1

CVE-2020-11883

Weakness Enumeration

Related Identifiers

Affected Products

References · 7