| عنوان | PublicCMS V6.202506.d Insertion of Sensitive Information Into Log Code |
|---|
| الوصف | PublicCMS (up to version [V6.202506.d]) contains a sensitive information leakage vulnerability. The application explicitly records the user's plaintext password in the database upon a failed login attempt. This occurs in core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java at lines 115-117, 128-129, and 142-143, where the errorPassword field of the LogLogin entity is populated with raw user input. Furthermore, the LogLogin.java entity (lines 80-84, 195-200) and the corresponding database field log_login.error_password are designed to store this sensitive data without any cryptographic hashing. An attacker with read access to the database, backups, or audit reports can recover legitimate user credentials, potentially leading to unauthorized account access across multiple systems. |
|---|
| المستخدم | LeyNn3H (UID 97009) |
|---|
| ارسال | 01/04/2026 06:39 PM (21 أيام منذ) |
|---|
| الاعتدال | 21/04/2026 04:35 PM (20 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 358490 [Sanluan PublicCMS حتى 6.202506.d Failed Login LoginAdminController.java log_login errorPassword الكشف عن المعلومات] |
|---|
| النقاط | 17 |
|---|