Information Medium Could result in disclosure of sensitive information to attackers. Source code fragments can include information about the design/structure of the application, including use of third-party components. This information may not otherwise be easily known by an adversary. Sometimes source code also contains highly sensitive information, such as passwords (database connection strings). The developer should verify that the output detected by Vega is in fact application source code. The cause should be determined, and the material removed or prevented from being output. Vega has detected fragments of text that match signatures of application source code. Application source code unintentedly visible to remote clients can be a security vulnerability. This can occur in applications using technologies such as PHP and JSP, which allow for code to be mixed with static presentation content. For example, in-line code is sometimes commented using HTML comments, resulting in it being transmitted to remote clients. For an attacker, source code can reveal information about the nature of the application, such as its design or the use of third-party components. Sometimes sensitive information, such as a database connection string, can be included in source code. Information Leakage (OWASP) CWE-540: Information Exposure through Source Code (Mitre) Information Leakage (WASC)