Leaking Password field during serialisation of the User model. Password is in the encrypted form but if User model is requested in json or array form the value is printed.
Issue has been patched in version 0.3.7-beta and onwards.
/**
* The attributes that should be hidden for arrays.
*
* @var array
*/
protected $hidden = [
'remember_token',
'password',
];
Impact
Leaking Password field during serialisation of the User model. Password is in the encrypted form but if User model is requested in json or array form the value is printed.
Patches
Issue has been patched in version 0.3.7-beta and onwards.
Workarounds
Add the 'password' field to the Users model file in the hidden array:
For more information
If you have any questions or comments about this advisory: