| 标题 | Fantomas42 django-blog-zinnia 881101a9d1d455b2fc581d6f4ae0947cdd8126c6 CWE-312 Cleartext Storage of Sensitive Information |
|---|
| 描述 | Fantomas42/django-blog-zinnia stores the raw protected-entry password in Django session data after a visitor unlocks an entry. The same session value is later compared against the entry password. If a deployment uses readable client-side sessions or if session storage, logs, or backups are exposed, protected-entry passwords can be recovered from session data. The safer design is to store only an entry-scoped authorization marker or keyed digest. |
|---|
| 来源 | ⚠️ https://github.com/Fantomas42/django-blog-zinnia/issues/595 |
|---|
| 用户 | GalaxynX (UID 98977) |
|---|
| 提交 | 2026-06-13 13時51分 (1 月前) |
|---|
| 管理 | 2026-07-18 10時52分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 380029 [Fantomas42 django-blog-zinnia 直到 0.20 Protected Entry Password entry_protection.py 弱加密] |
|---|
| 积分 | 20 |
|---|