Summary #

Invicti identified a database error message disclosure.

Impact #
The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL injection vulnerability. Most of the time Netsparker will detect and report that problem separately.
Remediation #
Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.
Classifications #
PCI v3.1-6.5.5; PCI v3.2-6.5.5; CAPEC-118; CWE-210; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-13; OWASP 2013-A5; OWASP 2017-A6

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo