PT-2023-30914 · Unknown · Codeigniter Shield

Kenjis

Published

2023-11-23

Updated

2023-11-30

CVE-2023-48707

CVSS v3.1

5.0

Medium

Vector

AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions CodeIgniter Shield versions prior to 1.0.0-beta.8

Description The secretKey value, an important key for HMAC SHA256 authentication, was stored in the database in cleartext form. If a malicious person had access to the database data, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating a user.

Recommendations For versions prior to 1.0.0-beta.8, upgrade to Shield v1.0.0-beta.8 or later. After upgrading, all existing secretKey values must be encrypted.

Exploit

Fix

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

CVE-2023-48707

GHSA-V427-C49J-8W6X

Affected Products

Codeigniter Shield

PT-2023-30914 · Unknown · Codeigniter Shield

CVE-2023-48707

Weakness Enumeration

Related Identifiers

Affected Products

References · 8