Cleartext Storage of Sensitive Information Affecting statamic/cms package, versions >=5.3.0, <5.6.2
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cleartext Storage of Sensitive Information vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-STATAMICCMS-7176107
- published3 Jun 2024
- disclosed2 Jun 2024
- creditUnknown
Introduced: 2 Jun 2024
CVE-2024-36119 (opens in a new tab)How to fix?
Upgrade statamic/cms to version 5.6.2 or higher.
Overview
Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the user:register_form tag. An attacker can access password confirmation data stored in plain text by gaining access to user yaml files.
Notes:
This only affects sites matching all of the following conditions:
Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one calendar week)
Using the user:register_form tag.
Using file-based user accounts. (Does not affect users stored in a database.)
Has users that have registered during that time period. (Existing users are not affected.)
Workaround
Any users registered during that time period and using the affected version range will still have the the password_confirmation value in their yaml files.
It is recommended that affected users have their password reset. The following query can be entered into php artisan tinker and will output a list of affected emails:
Statamic\Facades\User::query()->whereNotNull('password_confirmation')->get()->map->email
The following can be entered into tinker and will clear both password_confirmation as well as their existing password. They will be required to reset their password before their next login attempt.
Statamic\Facades\User::query()
->whereNotNull('password_confirmation')->get()
->each(fn ($user) => $user->remove('password_confirmation')->passwordHash(null)->save());