Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2017-009: Users inadvertently passing sensitive data to LoginAttempt

Severity:
Low (?)
Identifier:
ss-2017-009
Versions Affected:
3.5.5 and below, 3.6.0 to 3.6.2, 4.0.0
Versions Fixed:
3.5.6, 3.6.3, 4.0.1
Release Date:
2017-12-07

All user login attempts are logged in the database in the LoginAttempt table. However, this table contains information in plain text, and may possible contain sensitive information, such as user passwords mis-typed into the username field.

In order to address this a one-way hash is applied to the Email field before being stored.

Reported by Loz Calver