CVE-2024-38516
Aimeos HTML client may potentially reveal sensitive information in error log
In short
The Aimeos e-commerce HTML client was logging sensitive environment variable information in error logs when debug mode was enabled, potentially exposing secrets like API keys or database credentials to anyone who could access those logs.
Technical detail
CWE-1295 vulnerability in Aimeos ai-client-html component where improper handling of debug information causes sensitive environment variables to be written to error logs. Attack vector is local/adjacent network access to error logs; requires debug mode enabled. Impact includes disclosure of credentials and configuration secrets.
Summary generated and translated by AI from the official description.
ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and 2021.10.22.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
aimeos · ai-client-htmlWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →