PT-2023-30914 · Unknown · Codeigniter Shield
Kenjis
·
Publicado
2023-11-23
·
Atualizado
2023-11-30
·
CVE-2023-48707
CVSS v3.1
5.0
Média
| Vetor | AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
CodeIgniter Shield versions prior to 1.0.0-beta.8
Description
The
secretKey value, an important key for HMAC SHA256 authentication, was stored in the database in cleartext form. If a malicious person had access to the database data, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating a user.Recommendations
For versions prior to 1.0.0-beta.8, upgrade to Shield v1.0.0-beta.8 or later. After upgrading, all existing
secretKey values must be encrypted.Exploit
Correção
Cleartext Storage of Sensitive Information
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Codeigniter Shield