Description
View on MITREExtended Description
Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description Extended Description
If exploited, CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) it can compromise Read Application Data, leading to outcomes such as Scope: Confidentiality.
Recommended mitigations for CWE-497 include: Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs
CWE-497 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-497 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.