Homepage
About Snyk

Information Exposure Affecting statamic/cms package, versions <3.2.39 >=3.3.0-beta.1, <3.3.2

Severity

 Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.07% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-STATAMICCMS-2434274
  • published 27 Mar 2022
  • disclosed 27 Mar 2022
  • credit Thibaud Kehler
Report a new vulnerability Found a mistake?

Introduced: 27 Mar 2022

CVE-2022-24784 Open this link in a new tab
CWE-200 Open this link in a new tab

How to fix?

Upgrade statamic/cms to version 3.2.39, 3.3.2 or higher.

Overview

Affected versions of this package are vulnerable to Information Exposure. Using a specially crafted regular expression filter in the users endpoint of the API could allow an attacker to confirm a single character of a user's password hash. Repeating this operation could eventually lead to uncover the entire hash. Note: For this to be exploitable, both the REST API and the users endpoint need to be enabled, as they are disabled by default.

CVSS Scores

version 3.1
Expand this section

Snyk

3.7 low
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

3.7 low