CVE-2024-36119

Name of the Vulnerable Software and Affected Versions Statamic versions 5.3.0 through 5.6.1

Description The issue affects sites running Statamic versions between 5.3.0 and 5.6.1, using the user:register form tag, file-based user accounts, and having users registered during that time period. Users registering via the user:register form tag will have their password confirmation stored in plain text in their user file. This information is only visible to users with access to read user yaml files, typically developers of the application itself. The issue has been patched in version 5.6.2.

Recommendations For versions 5.3.0 through 5.6.1, system administrators are advised to upgrade their deployments to version 5.6.2 or later. Affected users should have their password reset. To identify affected users, the following query can be used in php artisan tinker: StatamicFacadesUser::query()->whereNotNull('password confirmation')->get()->map->email. To clear the password confirmation value and existing password, requiring users to reset their password before the next login attempt, use the following query in tinker: StatamicFacadesUser::query()->whereNotNull('password confirmation')->get()->each(fn ($user) => $user->remove('password confirmation')->passwordHash(null)->save()). If user files are committed to a public git repo, consider clearing the sensitive data from the git history.