PT-2021-24392 — Information Disclosure in Laravel Laravel Core

PT-2021-24392 · Laravel · Laravel Core

Published

2021-04-13

Updated

2021-04-13

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions: Laravel Core versions prior to 0.3.7-beta

Description: The issue involves the leaking of the password field during the serialization of the User model. Although the password is in encrypted form, it can be printed if the User model is requested in JSON or array form.

Recommendations: For versions prior to 0.3.7-beta, add the 'password' field to the Users model file in the hidden array by modifying the $hidden property in the User model to include 'password', as shown in the example:

php

protected $hidden = [
  'remember token',
  'password',
];

Alternatively, update to version 0.3.7-beta or later to resolve the issue.

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

GHSA-7FJP-G4M7-FX23

Affected Products

Laravel Core

PT-2021-24392 · Laravel · Laravel Core

Weakness Enumeration

Related Identifiers

Affected Products

References · 2