5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-48708

GHSA ID

GHSA-j72f-h752-mx4w

EPSS Score

0.38218%

CWE

CWE-532

Published

11/23/2023

Updated

11/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-48708

CVE-2023-48708: Insertion of Sensitive Information into Log

Impact

If successful login attempts are recorded, the raw tokens are stored in the log table. If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority.

When you (1) use the following authentiactors,

AccessTokens (tokens)
JWT (jwt)
HmacSha256 (hmac)

and you (2) log successful login attempts, the raw tokens are stored.

Patches

Upgrade to Shield v1.0.0-beta.8 or later.

Workarounds

Disable logging for successful login attempts by the configuration files.

AccessTokens or HmacSha256
- Set Config\AuthToken::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE
JWT
- Set Config\AuthJWT::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE

References

https://codeigniter4.github.io/shield/getting_started/authenticators/

For more information

If you have any questions or comments about this advisory:

Open an issue or discussion in codeigniter4/shield
Email us at security@codeigniter.com

(GitHub Advisory)

5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-48708

GHSA ID

GHSA-j72f-h752-mx4w

EPSS Score

0.38218%

CWE

CWE-532

Published

11/23/2023

Updated

11/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
codeigniter4/shield	composer	< 1.0.0-beta.8	1.0.0-beta.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from authenticator implementations directly logging raw tokens during successful authentication attempts. The commit diff shows these functions previously passed raw $credentials['token'] values to recordLoginAttempt(). Patches replaced these with token names (AccessTokens/HMAC) or hashes (JWT). The attempt() methods in these authenticators were clearly responsible for handling credentials and initiating logging, making them the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* su***ss*ul lo*in *tt*mpts *r* r**or***, t** r*w tok*ns *r* stor** in t** lo* t**l*. I* * m*li*ious p*rson som**ow vi*ws t** **t* in t** lo* t**l*, ** or s** **n o*t*in * r*w tok*n, w*i** **n t**n ** us** to s*n* * r*qu*st wit* t**t us*r

Reasoning

T** vuln*r**ility st*ms *rom *ut**nti**tor impl*m*nt*tions *ir**tly lo**in* r*w tok*ns *urin* su***ss*ul *ut**nti**tion *tt*mpts. T** *ommit *i** s*ows t**s* *un*tions pr*viously p*ss** r*w $*r***nti*ls['tok*n'] v*lu*s to `r**or*Lo*in*tt*mpt()`. P*t*

5

Basic Information

Concerned about an active attack path?

CVE-2023-48708: Insertion of Sensitive Information into Log

Impact

Patches

Workarounds

References

For more information

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI