ELMAH Information Leak

The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information.

Exposed ELMAH error logging interfaces leak sensitive application internals that attackers use for reconnaissance and exploitation. Attackers access elmah.axd endpoints to view detailed error logs containing stack traces, file paths, database connection strings, SQL queries, session identifiers, and internal application logic. This information reveals framework versions, third-party libraries, server configurations, and potential vulnerabilities. Attackers use these details to craft targeted attacks, identify authentication bypasses, discover SQL injection points, or escalate privileges by understanding the application’s internal structure and security weaknesses.

Consider whether or not ELMAH is actually required in production, if it isn’t then disable it. If it is then ensure access to it requires authentication and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/