CWE-531
AllowedInclusion of Sensitive Information in Test Code
Abstraction: Variant · Status: Incomplete
Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.
4 vulnerabilities reference this CWE, most recent first.
CVE-2025-43717 (GCVE-0-2025-43717)
Vulnerability from cvelistv5 – Published: 2025-04-17 00:00 – Updated: 2025-04-17 19:16- CWE-531 - Inclusion of Sensitive Information in Test Code
| Vendor | Product | Version | |
|---|---|---|---|
| avb | HTTP_Request2 |
Affected:
0 , < 2.7.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T19:16:14.268723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T19:16:25.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HTTP_Request2",
"vendor": "avb",
"versions": [
{
"lessThan": "2.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PEAR HTTP_Request2 before 2.7.0, multiple files in the tests directory, notably tests/_network/getparameters.php and tests/_network/postparameters.php, reflect any GET or POST parameters, leading to XSS."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-531",
"description": "CWE-531 Inclusion of Sensitive Information in Test Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T02:55:17.873Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/pear/HTTP_Request2/commit/07925aa77e441dba0ff0fa973a09802729cb838f"
},
{
"url": "https://github.com/pear/HTTP_Request2/commit/265e05f9e08a28a38a57219516a8e4e2dfdbb147"
},
{
"url": "https://github.com/pear/HTTP_Request2/compare/v2.6.0...v2.7.0"
},
{
"url": "https://github.com/pear/HTTP_Request2/blob/b1c61b71128045734d757c4d3d436457ace80ea7/package.xml#L24"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-43717",
"datePublished": "2025-04-17T00:00:00.000Z",
"dateReserved": "2025-04-17T00:00:00.000Z",
"dateUpdated": "2025-04-17T19:16:25.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42213 (GCVE-0-2024-42213)
Vulnerability from cvelistv5 – Published: 2025-05-05 19:00 – Updated: 2025-05-05 19:05- CWE-531 - Inclusion of Sensitive Information in Test Code
| Vendor | Product | Version | |
|---|---|---|---|
| HCL Software | HCL BigFix Compliance |
Affected:
2.0.12
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T19:05:21.890292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T19:05:39.547Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HCL BigFix Compliance",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.12"
}
]
}
],
"datePublic": "2025-05-05T17:27:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosure.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-531",
"description": "CWE-531 Inclusion of Sensitive Information in Test Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T19:00:33.692Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0120961"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-42213",
"datePublished": "2025-05-05T19:00:33.692Z",
"dateReserved": "2024-07-29T21:32:16.370Z",
"dateUpdated": "2025-05-05T19:05:39.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-9HHM-VPCP-JRC3
Vulnerability from github – Published: 2025-05-05 21:31 – Updated: 2025-05-05 21:31HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2024-42213"
],
"database_specific": {
"cwe_ids": [
"CWE-531"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-05T19:15:55Z",
"severity": "MODERATE"
},
"details": "HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosure.",
"id": "GHSA-9hhm-vpcp-jrc3",
"modified": "2025-05-05T21:31:28Z",
"published": "2025-05-05T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42213"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0120961"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W7GH-F2FM-9Q8R
Vulnerability from github – Published: 2025-04-17 03:30 – Updated: 2025-04-17 14:07In PEAR HTTP_Request2 before 2.7.0, multiple files in the tests directory, notably tests/_network/getparameters.php and tests/_network/postparameters.php, reflect any GET or POST parameters, leading to XSS.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pear/http_request2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43717"
],
"database_specific": {
"cwe_ids": [
"CWE-531",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-17T14:07:38Z",
"nvd_published_at": "2025-04-17T03:15:16Z",
"severity": "MODERATE"
},
"details": "In PEAR HTTP_Request2 before 2.7.0, multiple files in the tests directory, notably tests/_network/getparameters.php and tests/_network/postparameters.php, reflect any GET or POST parameters, leading to XSS.",
"id": "GHSA-w7gh-f2fm-9q8r",
"modified": "2025-04-17T14:07:38Z",
"published": "2025-04-17T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43717"
},
{
"type": "WEB",
"url": "https://github.com/pear/HTTP_Request2/commit/07925aa77e441dba0ff0fa973a09802729cb838f"
},
{
"type": "WEB",
"url": "https://github.com/pear/HTTP_Request2/commit/265e05f9e08a28a38a57219516a8e4e2dfdbb147"
},
{
"type": "PACKAGE",
"url": "https://github.com/pear/HTTP_Request2"
},
{
"type": "WEB",
"url": "https://github.com/pear/HTTP_Request2/blob/b1c61b71128045734d757c4d3d436457ace80ea7/package.xml#L24"
},
{
"type": "WEB",
"url": "https://github.com/pear/HTTP_Request2/compare/v2.6.0...v2.7.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "PEAR HTTP_Request2 vulnerable to Cross-site Scripting"
}
Mitigation
Remove test code before deploying the application into production.
No CAPEC attack patterns related to this CWE.