CVE-2023-48708

CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that user's authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:codeigniter:shield:1.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta7:*:*:*:*:*:*

History

21 Nov 2024, 08:32

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.5
v2 : unknown
v3 : 5.0
References () https://codeigniter4.github.io/shield/getting_started/authenticators/ - Product () https://codeigniter4.github.io/shield/getting_started/authenticators/ - Product
References () https://github.com/codeigniter4/shield/commit/7e84c3fb3411294f70890819bfe51781bb9dc8e4 - Patch () https://github.com/codeigniter4/shield/commit/7e84c3fb3411294f70890819bfe51781bb9dc8e4 - Patch
References () https://github.com/codeigniter4/shield/security/advisories/GHSA-j72f-h752-mx4w - Mitigation, Vendor Advisory () https://github.com/codeigniter4/shield/security/advisories/GHSA-j72f-h752-mx4w - Mitigation, Vendor Advisory

30 Nov 2023, 20:11

Type Values Removed Values Added
CPE cpe:2.3:a:codeigniter:shield:1.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:codeigniter:shield:1.0.0:beta4:*:*:*:*:*:*
References () https://github.com/codeigniter4/shield/commit/7e84c3fb3411294f70890819bfe51781bb9dc8e4 - () https://github.com/codeigniter4/shield/commit/7e84c3fb3411294f70890819bfe51781bb9dc8e4 - Patch
References () https://github.com/codeigniter4/shield/security/advisories/GHSA-j72f-h752-mx4w - () https://github.com/codeigniter4/shield/security/advisories/GHSA-j72f-h752-mx4w - Mitigation, Vendor Advisory
References () https://codeigniter4.github.io/shield/getting_started/authenticators/ - () https://codeigniter4.github.io/shield/getting_started/authenticators/ - Product
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5

27 Nov 2023, 13:52

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-24 18:15

Updated : 2024-11-21 08:32


NVD link : CVE-2023-48708

Mitre link : CVE-2023-48708

CVE.ORG link : CVE-2023-48708


JSON object : View

Products Affected

codeigniter

  • shield
CWE
CWE-532

Insertion of Sensitive Information into Log File