Missing Encryption of Sensitive Data
CVE-2018-20465
Summary
Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- HIGH
- HIGH
- HIGH
CWE-311 - Missing Encryption of Sensitive Data
The software does not encrypt sensitive or critical information before storage or transmission.
References
Advisory Timeline
- Published