CVE-2024-3165 Information

Description

System->Maintenance-> Log Files in dotCMS dashboard is providing the username/password for database connections in the log output. Nevertheless this is a moderate issue as it requires a backend admin as well as that dbs are locked down by environment.  

OWASP Top 10 - A05) Insecure Design

OWASP Top 10 - A05) Security Misconfiguration

OWASP Top 10 - A09) Security Logging and Monitoring Failure

Reference

https://auth.dotcms.com/security/SI-70?token=563ec927-3190-4478-bd77-0d6f8c6fc676 https://github.com/dotCMS/core/issues/27910 https://github.com/dotCMS/core/pull/28006