3 vulnerabilities classified as CWE-756 (定制错误页面缺失). AI Chinese analysis included.
CWE-756 represents a critical information disclosure weakness where applications fail to implement custom error pages, instead relying on default system-generated responses. This oversight typically allows attackers to exploit the vulnerability by triggering specific error conditions, such as malformed URLs or invalid inputs, to reveal detailed stack traces, server software versions, or internal file paths. Such exposed technical data significantly aids adversaries in crafting targeted exploits and mapping the application’s architecture. To mitigate this risk, developers must configure their web servers and frameworks to suppress verbose error messages in production environments. Implementing standardized, user-friendly error pages that provide no technical details ensures that sensitive backend information remains hidden. This practice not only protects the application’s integrity but also adheres to security best practices by minimizing the attack surface available to potential intruders during troubleshooting scenarios.
Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { ... } catch (ApplicationSpecificException ase) { logger.error("Caught: " + ase.toString()); } }<customErrors mode="Off" /><customErrors mode="RemoteOnly" />| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2023-27998 | Fortinet FortiPresence 安全漏洞 — FortiPresence | 5.3 | Medium | 2023-09-13 |
| CVE-2022-3175 | Missing Custom Error Page in ikus060/rdiffweb — ikus060/rdiffweb | 8.2 | - | 2022-09-13 |
| CVE-2018-8913 | Synology Web Station 输入验证错误漏洞 — Web Station | 6.1 | - | 2019-04-01 |
Vulnerabilities classified as CWE-756 (定制错误页面缺失) represent 3 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.