System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless, this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.
OWASP Top 10 - A05) Insecure Design
OWASP Top 10 - A05) Security Misconfiguration
OWASP Top 10 - A09) Security Logging and Monitoring Failure
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Dotcms | Dotcms | 22.02 (including) | 22.03.15 (excluding) |
Dotcms | Dotcms | 23.01 (including) | 23.01.15 (excluding) |
Dotcms | Dotcms | 23.02 (including) | 23.09.7 (including) |
Dotcms | Dotcms | 23.10.24-1 (including) | 23.10.24-1 (including) |
Dotcms | Dotcms | 23.10.24-2 (including) | 23.10.24-2 (including) |
Dotcms | Dotcms | 23.10.24-3 (including) | 23.10.24-3 (including) |
Dotcms | Dotcms | 23.10.24-4 (including) | 23.10.24-4 (including) |
Dotcms | Dotcms | 23.10.24-5 (including) | 23.10.24-5 (including) |
Dotcms | Dotcms | 23.10.24-6 (including) | 23.10.24-6 (including) |
Dotcms | Dotcms | 23.10.24-7 (including) | 23.10.24-7 (including) |
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: