Lookup for vulnerable packages by Package URL.
| Purl | pkg:composer/illuminate/auth@4.0.1 |
|---|
| Type | composer |
|---|
| Namespace | illuminate |
|---|
| Name | auth |
|---|
| Version | 4.0.1 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 5.5.40 |
|---|
| Latest_non_vulnerable_version | 5.6.15 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-36f9-wxda-x3c2 |
| vulnerability_id |
VCID-36f9-wxda-x3c2 |
| summary |
Laravel Hijacked authentication cookies vulnerability
Laravel 4.1.26 introduces security improvements for "remember me" cookies. Before this update, if a remember cookie was hijacked by another malicious user, the cookie would remain valid for a long period of time, even after the true owner of the account reset their password, logged out, etc.
This change requires the addition of a new remember_token column to your users (or equivalent) database table. After this change, a fresh token will be assigned to the user each time they login to your application. The token will also be refreshed when the user logs out of the application. The implications of this change are: if a "remember me" cookie is hijacked, simply logging out of the application will invalidate the cookie. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-q4xf-7fw5-4x8v
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-36f9-wxda-x3c2 |
|
| 1 |
|
| 2 |
| url |
VCID-eqzu-3cmt-2ube |
| vulnerability_id |
VCID-eqzu-3cmt-2ube |
| summary |
Close remember_me Timing Attack Vector
This package mishandles the `remember_me token` verification process because `DatabaseUserProvider` does not have constant-time token comparison. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2017-14775, GHSA-c2v7-j5gq-wcq4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eqzu-3cmt-2ube |
|
| 3 |
| url |
VCID-t45c-4zgs-r7es |
| vulnerability_id |
VCID-t45c-4zgs-r7es |
| summary |
User phishing
There's a vulnerability that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice that they are not on their intended application's domain, they may accidentally enter their login credentials into a malicious application. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2017-9303, GHSA-rc8x-jrrc-frfv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t45c-4zgs-r7es |
|
| 4 |
| url |
VCID-yuwm-88g2-jke5 |
| vulnerability_id |
VCID-yuwm-88g2-jke5 |
| summary |
Unsafe payload decryption
There's a potential exploit of the Laravel Encrypter component that may cause the Encrypter to fail on decryption and unexpectedly return false. To exploit this, the attacker must be able to modify the encrypted payload before it is decrypted. This could lead to unexpected behavior when combined with weak type comparisons. |
| references |
|
| fixed_packages |
|
| aliases |
GMS-2018-28
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yuwm-88g2-jke5 |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | 3.1 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:composer/illuminate/auth@4.0.1 |
|---|