CVE-2023-48708

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-48708

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-48708.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-48708

Aliases

GHSA-j72f-h752-mx4w

Published

2023-11-24T17:16:15Z

Modified

2025-11-04T20:15:38.091647Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

Insertion of Sensitive Information into Log in codeigniter4/shield

Details

CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person somehow views the data in the log table they can obtain a raw token which can then be used to send a request with that user's authority. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. Users unable to upgrade should disable logging for successful login attempts by the configuration files.

Database specific

{
    "cwe_ids": [
        "CWE-532"
    ]
}

References

Affected packages

Git / github.com/codeigniter4/shield

Affected ranges

Type: GIT
Repo: https://github.com/codeigniter4/shield
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

434e5a0e550d24199dc4f04033a872e8d3d847d7

Affected versions

v1.*

v1.0.0-beta

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.5

v1.0.0-beta.6

v1.0.0-beta.7