Описание
User (Encrypted) Password Field Being Serialised
Impact
Leaking Password field during serialisation of the User model. Password is in the encrypted form but if User model is requested in json or array form the value is printed.
Patches
Issue has been patched in version 0.3.7-beta and onwards.
Workarounds
Add the 'password' field to the Users model file in the hidden array:
/**
* The attributes that should be hidden for arrays.
*
* @var array
*/
protected $hidden = [
'remember_token',
'password',
];
For more information
If you have any questions or comments about this advisory:
- Open an issue in pwweb/laravel-core
- Email us at security@pw-websolutions.com
Пакеты
Наименование
pwweb/laravel-core
composer
Затронутые версииВерсия исправления
<= 0.3.6-beta
0.3.7-beta
Дефекты
CWE-200
Дефекты
CWE-200