Compliance Impact

This vulnerability exposes sensitive session credentials, including plaintext usernames, passwords, email addresses, and user identifiers, through a publicly accessible JavaScript file. Such exposure constitutes a breach of confidentiality and integrity of sensitive data.

The unauthorized disclosure of personal and authentication data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls over the confidentiality, integrity, and security of personal and sensitive information.

Specifically, the vulnerability violates best practices for secure data handling by storing sensitive information in cleartext in an externally accessible location, increasing the risk of data breaches and unauthorized access, which are critical compliance concerns under these regulations.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is an incorrect access control issue in the config.php component of Slah CMS versions 1.5.0 and below. It allows unauthenticated attackers to access sensitive information, including active session credentials.

Technically, the vulnerability arises because the session() function in config.php logs every session key-value pair in plaintext to a publicly accessible JavaScript file (public/assets/js/logged.js). This file is served without any access control or encryption, so anyone can retrieve it remotely.

The logged data includes sensitive information such as email addresses, passwords, login status flags, and unique user identifiers. Attackers can use this information to monitor active sessions and perform unauthorized logins, including administrative account takeovers.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a complete compromise of administrative accounts and unauthorized access to sensitive governmental web management interfaces.

Attackers can harvest plaintext session credentials from a publicly accessible file and use them to bypass authentication, gaining control over administrative dashboards.

The breach compromises the confidentiality and integrity of public sector administrative operations, potentially allowing attackers to manipulate or steal sensitive data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the publicly accessible JavaScript file "public/assets/js/logged.js" contains sensitive session information such as plaintext usernames, passwords, and user identifiers.

A simple command to detect this vulnerability is to use cURL to fetch the first lines of the logged.js file and inspect its contents.

• curl -s "https://[SUBDOMAIN].[DOMAIN].gov.br/public/assets/js/logged.js" | head -n 20

This command retrieves the first 20 lines of the log file, which may reveal active session credentials and user identifiers if the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include removing the insecure logging mechanism in the config.php file, specifically the code that writes session credentials to the publicly accessible logged.js file.

Session credentials must never be written to publicly accessible static files such as .js, .txt, or .inc files.

Additionally, update the Slah CMS to the latest patched version released by the vendor on January 5, 2026, which addresses this vulnerability.

Useful 0 Not Useful 0