Home / Vulnerability Database / VBA : Internal information leak
VBA
VBA : Internal information leak
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP MASVS
PCI DSS 4.0
CWE/SANS Top 25 2021
Overview
System configuration leak is possible. This can help an attacker to create a plan of attack.
The debug information and error messages depending on the system settings can be written to the log, outputted to the console, or sent to the user. In some cases, an attacker can make a conclusion about the system vulnerabilities from the error message. For example, a database error can indicate insecurity against attacks such as SQL injection. Information about the version of the operating system, application server and system configuration can also be of value to the attacker.
In this case, we are talking about an internal leak: system information is stored in the local file or event log or is displayed on the screen.
References
- OWASP Top 10 2013-A5-Security Misconfiguration
- CWE-497: Exposure of System Data to an Unauthorized Control Sphere
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- OWASP Top 10 2017-A6-Security Misconfiguration
- CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-209: Generation of Error Message Containing Sensitive Information
- CWE-532
MEDIUM
DerScanner Severity Score
Do you want to fix VBA : Internal information leak in your application?
See also
VBA
VBA : Empty encryption key
VBA
VBA : SQL injection
VBA