Search for packages
| purl | pkg:composer/illuminate/auth@4.0.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-36f9-wxda-x3c2
Aliases: GHSA-q4xf-7fw5-4x8v |
Laravel Hijacked authentication cookies vulnerability Laravel 4.1.26 introduces security improvements for "remember me" cookies. Before this update, if a remember cookie was hijacked by another malicious user, the cookie would remain valid for a long period of time, even after the true owner of the account reset their password, logged out, etc. This change requires the addition of a new remember_token column to your users (or equivalent) database table. After this change, a fresh token will be assigned to the user each time they login to your application. The token will also be refreshed when the user logs out of the application. The implications of this change are: if a "remember me" cookie is hijacked, simply logging out of the application will invalidate the cookie. |
Affected by 3 other vulnerabilities. |
|
VCID-5xz2-td65-nyau
Aliases: GMS-2014-39 |
Session Fixation Hijacked authentication cookies vulnerability in auth. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-eqzu-3cmt-2ube
Aliases: CVE-2017-14775 GHSA-c2v7-j5gq-wcq4 |
Close remember_me Timing Attack Vector This package mishandles the `remember_me token` verification process because `DatabaseUserProvider` does not have constant-time token comparison. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-t45c-4zgs-r7es
Aliases: CVE-2017-9303 GHSA-rc8x-jrrc-frfv |
User phishing There's a vulnerability that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice that they are not on their intended application's domain, they may accidentally enter their login credentials into a malicious application. |
Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-yuwm-88g2-jke5
Aliases: GMS-2018-28 |
Unsafe payload decryption There's a potential exploit of the Laravel Encrypter component that may cause the Encrypter to fail on decryption and unexpectedly return false. To exploit this, the attacker must be able to modify the encrypted payload before it is decrypted. This could lead to unexpected behavior when combined with weak type comparisons. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||