ELMAH elmah.axd/errorlog.axd Information Disclosure

Medium Web Application Scanning Plugin ID 112425


ELMAH elmah.axd/errorlog.axd Information Disclosure


ELMAH (Error Logging Modules and Handlers) is an application error logging facility. This application is not properly configured and leads to information disclosure via elmah.axd or errorlog.axd. This allows an unauthenticated, remote attacker to view web requests made to the server, including sensitive information like Session ID values, full path or request variables.


Set <elmah><security allowRemoteAccess='0' /></elmah> in web.config to disable remote access.

See Also




Plugin Details

Severity: Medium

ID: 112425

Type: remote

Published: 2020/06/08

Updated: 2020/06/08

Scan Template: api, scan, pci

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information