Impact If successful login attempts are recorded, the raw tokens are stored in the log table. If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority. When you (1) use the following authentiactors, – AccessTokens (tokens) – JWT (jwt) – HmacSha256 (hmac) and you (2) log successful login attempts, the raw tokens are stored. Patches Upgrade to Shield v1.0.0-beta.8 or later. Workarounds Disable logging for successful login attempts by the configuration files. AccessTokens or HmacSha256 Set ConfigAuthToken::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE JWT Set ConfigAuthJWT::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE References https://codeigniter4.github.io/shield/getting_started/authenticators/ For more information If you have any questions or comments about this advisory: * Open an issue or discussion in codeigniter4/shield * Email us at…Read More