CVE-2023-48708 MEDIUM

CVE-2023-48708: Insertion of Sensitive Information into Log in codeigniter4/shield

Vendor Codeigniter4

Product shield

Weakness CWE-532 · Sensitive info in logs

Published November 24, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

Description

CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that user's authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files.

Key dates

Disclosure timeline

November 24, 2023 CVE published

August 2, 2024 Record updated