Cleartext Storage of Sensitive Information Affecting statamic/cms package, versions >=5.3.0, <5.6.2
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-STATAMICCMS-7176107
- published 3 Jun 2024
- disclosed 2 Jun 2024
- credit Unknown
Introduced: 2 Jun 2024
New CVE-2024-36119 Open this link in a new tabHow to fix?
Upgrade statamic/cms to version 5.6.2 or higher.
Overview
Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the user:register_form tag. An attacker can access password confirmation data stored in plain text by gaining access to user yaml files.
Notes:
This only affects sites matching all of the following conditions:
Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one calendar week)
Using the user:register_form tag.
Using file-based user accounts. (Does not affect users stored in a database.)
Has users that have registered during that time period. (Existing users are not affected.)
Workaround
Any users registered during that time period and using the affected version range will still have the the password_confirmation value in their yaml files.
It is recommended that affected users have their password reset. The following query can be entered into php artisan tinker and will output a list of affected emails:
Statamic\Facades\User::query()->whereNotNull('password_confirmation')->get()->map->email
The following can be entered into tinker and will clear both password_confirmation as well as their existing password. They will be required to reset their password before their next login attempt.
Statamic\Facades\User::query()
->whereNotNull('password_confirmation')->get()
->each(fn ($user) => $user->remove('password_confirmation')->passwordHash(null)->save());