CVE-2023-48708

Name of the Vulnerable Software and Affected Versions CodeIgniter Shield versions prior to 1.0.0-beta.8

Description CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions, successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person views the data in the log table, they can obtain a raw token, which can then be used to send a request with that user's authority. This issue affects users of tokens, jwt, and hmac authenticators when logging successful login attempts.

Recommendations For versions prior to 1.0.0-beta.8, upgrade to Shield v1.0.0-beta.8 or later. As a temporary workaround, disable logging for successful login attempts by setting ConfigAuthToken::$recordLoginAttempt to Auth::RECORD LOGIN ATTEMPT FAILURE or Auth::RECORD LOGIN ATTEMPT NONE for AccessTokens or HmacSha256, and ConfigAuthJWT::$recordLoginAttempt to Auth::RECORD LOGIN ATTEMPT FAILURE or Auth::RECORD LOGIN ATTEMPT NONE for JWT.