CWE-540
Inclusion of Sensitive Information in Source Code
Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
CVE-2024-38327 (GCVE-0-2024-38327)
Vulnerability from cvelistv5
Published
2025-07-10 14:14
Modified
2025-08-18 01:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-540 - Inclusion of Sensitive Information in Source Code
Summary
IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application's API.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7234122 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Analytics Content Hub |
Version: 2.0, 2.1, 2.2, 2.3 cpe:2.3:a:ibm:analytics_content_hub:2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:analytics_content_hub:2.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:analytics_content_hub:2.2:*:*:*:*:*:*:* cpe:2.3:a:ibm:analytics_content_hub:2.3:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38327",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T20:15:33.856479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T20:15:42.916Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:analytics_content_hub:2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:analytics_content_hub:2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:analytics_content_hub:2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:analytics_content_hub:2.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Analytics Content Hub",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2.0, 2.1, 2.2, 2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application\u0027s API."
}
],
"value": "IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application\u0027s API."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-540",
"description": "CWE-540 Inclusion of Sensitive Information in Source Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T01:35:53.589Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7234122"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Analytics Content Hub 2.0 - 2.3 - Download IBM Cognos Analytics Content Hub 2.4\u003cbr\u003e"
}
],
"value": "IBM Analytics Content Hub 2.0 - 2.3 - Download IBM Cognos Analytics Content Hub 2.4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Analytics Content Hub information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-38327",
"datePublished": "2025-07-10T14:14:40.562Z",
"dateReserved": "2024-06-13T21:43:59.170Z",
"dateUpdated": "2025-08-18T01:35:53.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55907 (GCVE-0-2024-55907)
Vulnerability from cvelistv5
Published
2025-03-02 15:22
Modified
2025-09-01 01:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-540 - Inclusion of Sensitive Information in Source Code
Summary
IBM Cognos Analytics Mobile 1.1 for iOS application could allow an attacker to reverse engineer the codebase to gain knowledge about the programming technique, interface, class definitions, algorithms and functions used due to weak obfuscation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7184429 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Cognos Analytics Mobile |
Version: 1.1 cpe:2.3:a:ibm:cognos_analytics_mobile:1.1:*:*:*:*:ios:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55907",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T15:24:58.531148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T15:25:14.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_analytics_mobile:1.1:*:*:*:*:ios:*:*"
],
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "Cognos Analytics Mobile",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Analytics Mobile 1.1 for iOS application could allow an attacker to reverse engineer the codebase to gain knowledge about the programming technique, interface, class definitions, algorithms and functions used due to weak obfuscation."
}
],
"value": "IBM Cognos Analytics Mobile 1.1 for iOS application could allow an attacker to reverse engineer the codebase to gain knowledge about the programming technique, interface, class definitions, algorithms and functions used due to weak obfuscation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-540",
"description": "CWE-540 Inclusion of Sensitive Information in Source Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T01:09:49.562Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7184429"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Mobile information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-55907",
"datePublished": "2025-03-02T15:22:59.258Z",
"dateReserved": "2024-12-12T18:07:25.450Z",
"dateUpdated": "2025-09-01T01:09:49.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0923 (GCVE-0-2025-0923)
Vulnerability from cvelistv5
Published
2025-06-11 17:28
Modified
2025-08-24 11:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-540 - Inclusion of Sensitive Information in Source Code
Summary
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server that could aid in further attacks against the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7234674 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Cognos Analytics |
Version: 11.2.0 Version: 11.2.1 Version: 11.2.2 Version: 11.2.3 Version: 11.2.4 Version: 12.0.0 Version: 12.0.1 Version: 12.0.2 Version: 12.0.3 Version: 12.0.4 cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:11.2.2:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:11.2.3:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:11.2.4:interm_fix3:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0.2:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0.3:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_analytics:12.0.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T17:39:08.665255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T17:40:49.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:11.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:11.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:11.2.4:interm_fix3:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cognos_analytics:12.0.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cognos Analytics",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.2.0"
},
{
"status": "affected",
"version": "11.2.1"
},
{
"status": "affected",
"version": "11.2.2"
},
{
"status": "affected",
"version": "11.2.3"
},
{
"status": "affected",
"version": "11.2.4"
},
{
"status": "affected",
"version": "12.0.0"
},
{
"status": "affected",
"version": "12.0.1"
},
{
"status": "affected",
"version": "12.0.2"
},
{
"status": "affected",
"version": "12.0.3"
},
{
"status": "affected",
"version": "12.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server that could aid in further attacks against the system."
}
],
"value": "IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server that could aid in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-540",
"description": "CWE-540 Inclusion of Sensitive Information in Source Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-24T11:57:12.698Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7234674"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Cognos Analytics 12.0.4 FP1 IBM Cognos Analytics 12.0.4 Fix Pack 1\u003cbr\u003eIBM Cognos Analytics 11.2.4 IF4 IBM Cognos Analytics 11.2.4.5 Interim Fix 5\u003cbr\u003e\u003cbr\u003eIBM Cognos Analytics 11.2.0-11.2.4 IF3 customers that have already applied IBM Cognos Analytics 11.2.4 IF4 and/or 11.2.4 IF5, no further action is required.\u003cbr\u003e"
}
],
"value": "IBM Cognos Analytics 12.0.4 FP1 IBM Cognos Analytics 12.0.4 Fix Pack 1\nIBM Cognos Analytics 11.2.4 IF4 IBM Cognos Analytics 11.2.4.5 Interim Fix 5\n\nIBM Cognos Analytics 11.2.0-11.2.4 IF3 customers that have already applied IBM Cognos Analytics 11.2.4 IF4 and/or 11.2.4 IF5, no further action is required."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Cognos Analytics information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-0923",
"datePublished": "2025-06-11T17:28:57.762Z",
"dateReserved": "2025-01-31T01:57:18.370Z",
"dateUpdated": "2025-08-24T11:57:12.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phases: Architecture and Design, System Configuration
Description:
- Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.
No CAPEC attack patterns related to this CWE.