Veracode Vulnerability DatabaseVERACODE:47362Cleartext Password Storage
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
statamic/cms is vulnerable to Cleartext Password Storage. This vulnerability is due to the insecure handling of password confirmation data, which affects users registered via the user:register_form tag and using file-based user accounts. The vulnerability allows an attacker, who gains access to user YAML files to login into the users account.
References
dev.to/balogh08/cleaning-your-git-history-safely-removing-sensitive-data-10i5
docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository
github.com/statamic/cms/commit/0b804306c96c99b81755d5bd02df87ddf392853e
github.com/statamic/cms/security/advisories/GHSA-qvpj-w7xj-r6w9
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%