← Back

CVE-2023-48708

nvd nist
Published: Nov 24, 2023Modified: Nov 21, 2024

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Exploitability: 2.8 / Impact: 3.6
Source: NVD

Description

CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that user's authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files.

Affected (7)

Products: Codeigniter: Shield
Codeigniter
1 product
Shield
Configuration A
7 vulnerable
Vulnerable SoftwareAffected Versions
Codeigniter
Shield
Version 1.0.0 beta2
Shield
Version 1.0.0 beta3
Shield
Version 1.0.0 beta4
Shield
Version 1.0.0 beta5
Shield
Version 1.0.0 beta6
Shield
Version 1.0.0 beta7
Shield
Version 1.0.0 beta

Related CWEs

CWE-532
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (6)

Source: security-advisories@github.com
Product
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
MitigationVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Product
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
MitigationVendor Advisory

Timeline

No history available yet.