System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.
OWASP Top 10 - A05) Insecure Design
OWASP Top 10 - A05) Security Misconfiguration
OWASP Top 10 - A09) Security Logging and Monitoring Failure
Weakness
The product writes sensitive information to a log file.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Dotcms | Dotcms | 22.02 (including) | 22.03.15 (excluding) |
| Dotcms | Dotcms | 23.01 (including) | 23.01.15 (excluding) |
| Dotcms | Dotcms | 23.02 (including) | 23.09.7 (including) |
| Dotcms | Dotcms | 23.10.24-1 (including) | 23.10.24-1 (including) |
| Dotcms | Dotcms | 23.10.24-2 (including) | 23.10.24-2 (including) |
| Dotcms | Dotcms | 23.10.24-3 (including) | 23.10.24-3 (including) |
| Dotcms | Dotcms | 23.10.24-4 (including) | 23.10.24-4 (including) |
| Dotcms | Dotcms | 23.10.24-5 (including) | 23.10.24-5 (including) |
| Dotcms | Dotcms | 23.10.24-6 (including) | 23.10.24-6 (including) |
| Dotcms | Dotcms | 23.10.24-7 (including) | 23.10.24-7 (including) |